GNU bug report logs - #57956
29.0.50; Add minimal authorization support to sasl-scram-rfc

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: "J.P." <jp@HIDDEN>; Keywords: patch; dated Tue, 20 Sep 2022 13:07:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at 57956 <at> debbugs.gnu.org:


Received: (at 57956) by debbugs.gnu.org; 20 Sep 2022 15:28:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 20 11:28:39 2022
Received: from localhost ([127.0.0.1]:59271 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1oafAs-0001fc-Pr
	for submit <at> debbugs.gnu.org; Tue, 20 Sep 2022 11:28:38 -0400
Received: from quimby.gnus.org ([95.216.78.240]:48082)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1oafAq-0001fN-QX
 for 57956 <at> debbugs.gnu.org; Tue, 20 Sep 2022 11:28:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org;
 s=20200322; h=Content-Type:MIME-Version:Message-ID:Date:References:
 In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=vXvMSHB+X2wYmSL/q/1hGbDnew76zH198R9OlbLEV3g=; b=XvHhxnR2r9ny1U9pKEuiluqEaJ
 /Zu42qJm8FAYhivG7+IokE/Ve/fuD5nxyGSMUwYTmukTiI2fIrgBcmHyfNSwPAGn2nPF8+/yulHJ/
 nr2tnR16S2gGKncTNV31i78lu2mOfNHJFhKieRVeVY1k4O/0Q6UdvNNx42aywg3g0Qxs=;
Received: from [84.212.220.105] (helo=joga)
 by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <larsi@HIDDEN>)
 id 1oafAh-0003HW-9P; Tue, 20 Sep 2022 17:28:29 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: "J.P." <jp@HIDDEN>
Subject: Re: bug#57956: 29.0.50; Add minimal authorization support to
 sasl-scram-rfc
In-Reply-To: <871qs62o0y.fsf@HIDDEN> (J. P.'s message of "Tue, 20 Sep
 2022 06:06:37 -0700")
References: <871qs62o0y.fsf@HIDDEN>
X-Now-Playing: Job Sifre's _Cold Wave Volume 2_: "At Least We Try"
Date: Tue, 20 Sep 2022 17:28:26 +0200
Message-ID: <87tu52awv9.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview:  "J.P." <jp@HIDDEN> writes: > Anyway, ERC would benefit
 greatly from these (or superior) changes > because we'd like to introduce
 `erc-compat' analogs in an upcoming > release (probably ERC 5.6). If anyone
 out there can spare th [...] 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 57956
Cc: 57956 <at> debbugs.gnu.org, Magnus Henoch <magnus.henoch@HIDDEN>,
 emacs-erc@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

"J.P." <jp@HIDDEN> writes:

> Anyway, ERC would benefit greatly from these (or superior) changes
> because we'd like to introduce `erc-compat' analogs in an upcoming
> release (probably ERC 5.6). If anyone out there can spare the time,
> your feedback would be greatly appreciated.

Looks OK to me.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#57956; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 20 Sep 2022 13:06:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 20 09:06:54 2022
Received: from localhost ([127.0.0.1]:56558 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1oacxh-0005ZU-P2
	for submit <at> debbugs.gnu.org; Tue, 20 Sep 2022 09:06:54 -0400
Received: from lists.gnu.org ([209.51.188.17]:48528)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jp@HIDDEN>) id 1oacxg-0005ZN-H1
 for submit <at> debbugs.gnu.org; Tue, 20 Sep 2022 09:06:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:49084)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jp@HIDDEN>) id 1oacxb-000520-2L
 for bug-gnu-emacs@HIDDEN; Tue, 20 Sep 2022 09:06:47 -0400
Received: from mail-108-mta199.mxroute.com ([136.175.108.199]:33825)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <jp@HIDDEN>) id 1oacxX-0000Br-LH
 for bug-gnu-emacs@HIDDEN; Tue, 20 Sep 2022 09:06:45 -0400
Received: from mail-111-mta2.mxroute.com ([136.175.111.2]
 filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta199.mxroute.com (ZoneMTA) with ESMTPSA id
 1835b01fdda0002b7a.002 for <bug-gnu-emacs@HIDDEN>
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256);
 Tue, 20 Sep 2022 13:06:40 +0000
X-Zone-Loop: ae24e56f44b6ad40d0bfe288269f17fa52ce95fddb36
X-Originating-IP: [136.175.111.2]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=neverwas.me
 ; s=x;
 h=Content-Type:MIME-Version:Message-ID:Date:Subject:Cc:To:From:Sender:
 Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date
 :Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=PY6Kegy/1aV/ZVHrsZMGI9suPBzbdU7B2RleCCkItuM=; b=b
 IsGTQJbC/HNPwtQVLJ+gr7Me45shuzKH53hVNWHCgqFQRsKsg26jokjOwwRU9EKOmZCsVzSM65MSp
 C8qtU7/LFllA2mHIyXQwun7jarlR+em1HMazsXd3uX1V8mb7ZBo6KMNdVg+r0HjPYbU9WRTnkBANw
 p7koJgRUp+sLT5AwT+8hpOR7bDGkBu86M46jBQDxAO14hUv3A5d23Y2aD2YseDTkBBtxKGWBIN4zA
 3nEVoGkI/Tbb1afjoA+JcikWRfUqasQP1RTmKOMlDCzoCHQgKzsEtkxCqx9aiLFJ3Vd26T7IYfKNn
 gs21jMOGk/IAQXdMfs9P1LKO4gDrVXZXg==;
From: "J.P." <jp@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: 29.0.50; Add minimal authorization support to sasl-scram-rfc
X-Debbugs-CC: emacs-erc@HIDDEN
Date: Tue, 20 Sep 2022 06:06:37 -0700
Message-ID: <871qs62o0y.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Authenticated-Id: masked@HIDDEN
Received-SPF: pass client-ip=136.175.108.199; envelope-from=jp@HIDDEN;
 helo=mail-108-mta199.mxroute.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: Magnus Henoch <magnus.henoch@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--=-=-=
Content-Type: text/plain

Tags: patch

Hi people,

ERC plans on basing its SASL library on sasl.el and friends. Although
rare, authorization (or "authz") support is sometimes needed by IRC
administrators wanting to authenticate as other users. It's also
expected by at least one IRC-compliance test suite [1]. The PLAIN
implementation in sasl.el currently offers implicit support via the
`authenticator-name' client property (see `sasl-plain-response'). This
patch proposes we do much the same with sasl-scram-rfc.el.

As for specifics, I've encapsulated the actual prop-lookup and
header-construction details in a new function that's called indirectly
via a new top-level variable (although perhaps that's just unnecessary
or more suited to a user option). The only other change appears in
`sasl-scram--client-final-message'. It concerns the base64 encoding of
the GS2 header and the client proof, both of which currently suffer from
occasional whitespace complications [2].

Anyway, ERC would benefit greatly from these (or superior) changes
because we'd like to introduce `erc-compat' analogs in an upcoming
release (probably ERC 5.6). If anyone out there can spare the time,
your feedback would be greatly appreciated.

Thanks,
J.P.

P.S. Tests covering these changes appear in the patch sets for bug#29108
and bug#49860.


[1] Authz support for PLAIN, with SCRAM possibly on the way:

    https://github.com/progval/irctest/blob/master/irctest/client_tests/sasl.py

[2] Calling `base64-encode-string' with NO-LINE-BREAK set to t seems to
    solve the issue, which is likely related to this excerpt from
    https://www.rfc-editor.org/rfc/rfc5802#section-2.1:
 
     "The use of base64 in SCRAM is restricted to the canonical form
      with no whitespace."
 
    FWIW, I tried advising `base64-encode-string' to avoid having to
    submit a patch, but it seems the byte compiler precomputes the
    result for certain constant params, like `cbind-input' in
    `sasl-scram--client-final-message'.


In GNU Emacs 29.0.50 (build 2, x86_64-pc-linux-gnu, GTK+ Version
 3.24.34, cairo version 1.17.6) of 2022-09-19 built on localhost
Repository revision: 132d5cb0a3ec94afbb49772631861e00160ffffb
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.12014000
System Description: Fedora Linux 36 (Workstation Edition)

Configured using:
 'configure --enable-check-lisp-object-type --enable-checking=yes,glyphs
 'CFLAGS=-O0 -g3'
 PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

Configured features:
ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM GSETTINGS HARFBUZZ JPEG
JSON LCMS2 LIBOTF LIBSELINUX LIBSYSTEMD LIBXML2 M17N_FLT MODULES NOTIFY
INOTIFY PDUMPER PNG RSVG SECCOMP SOUND SQLITE3 THREADS TIFF
TOOLKIT_SCROLL_BARS WEBP X11 XDBE XIM XINPUT2 XPM GTK3 ZLIB

Important settings:
  value of $LANG: en_US.UTF-8
  value of $XMODIFIERS: @im=ibus
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  show-paren-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  line-number-mode: t
  indent-tabs-mode: t
  transient-mark-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message mailcap yank-media puny dired
dired-loaddefs rfc822 mml mml-sec password-cache epa derived epg rfc6068
epg-config gnus-util text-property-search time-date subr-x mm-decode
mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader
cl-loaddefs cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util
mail-prsvr mail-utils rmc iso-transl tooltip eldoc paren electric
uniquify ediff-hook vc-hooks lisp-float-type elisp-mode mwheel
term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode lisp-mode
prog-mode register page tab-bar menu-bar rfn-eshadow isearch easymenu
timer select scroll-bar mouse jit-lock font-lock syntax font-core
term/tty-colors frame minibuffer nadvice seq simple cl-generic
indonesian philippine cham georgian utf-8-lang misc-lang vietnamese
tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek
romanian slovak czech european ethiopic indian cyrillic chinese
composite emoji-zwj charscript charprop case-table epa-hook
jka-cmpr-hook help abbrev obarray oclosure cl-preloaded button loaddefs
faces cus-face macroexp files window text-properties overlay sha1 md5
base64 format env code-pages mule custom widget keymap
hashtable-print-readable backquote threads dbusbind inotify lcms2
dynamic-setting system-font-setting font-render-setting cairo
move-toolbar gtk x-toolkit xinput2 x multi-tty make-network-process
emacs)

Memory information:
((conses 16 36059 6198)
 (symbols 48 5107 0)
 (strings 32 13115 1641)
 (string-bytes 1 372299)
 (vectors 16 9247)
 (vector-slots 8 146583 10252)
 (floats 8 21 25)
 (intervals 56 220 0)
 (buffers 1000 10))

--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-Add-GS2-authorization-to-sasl-scram-rfc.patch

From 91e33541457a55e2e509d800cd8b9f97702e706d Mon Sep 17 00:00:00 2001
From: "F. Jason Park" <jp@HIDDEN>
Date: Mon, 19 Sep 2022 21:28:52 -0700
Subject: [PATCH 1/4] Add GS2 authorization to sasl-scram-rfc

* lisp/net/sasl-scram-rfc.el (sasl-scram-fs2-header-function,
sasl-scram-construct-gs2-header): Add new variable and default
function for determining a SCRAM GSS-API message header.
(sasl-scram-client-first-message): Use gs2-header function.
(sasl-scram--client-final-message): Use dedicated gs2-header function.
Also remove whitespace when base64-encoding, as per RFC 5802.
---
 lisp/net/sasl-scram-rfc.el | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/lisp/net/sasl-scram-rfc.el b/lisp/net/sasl-scram-rfc.el
index ee52ed6e07..f7a2e42541 100644
--- a/lisp/net/sasl-scram-rfc.el
+++ b/lisp/net/sasl-scram-rfc.el
@@ -45,14 +45,21 @@
 
 ;;; Generic for SCRAM-*
 
+(defvar sasl-scram-gs2-header-function 'sasl-scram-construct-gs2-header
+  "Function to create GS2 header.
+See https://www.rfc-editor.org/rfc/rfc5801#section-4.")
+
+(defun sasl-scram-construct-gs2-header (client)
+  ;; The "n," means the client doesn't support channel binding, and
+  ;; the trailing comma is included as per RFC 5801.
+  (let ((authzid (sasl-client-property client 'authenticator-name)))
+    (concat "n," (and authzid "a=") authzid ",")))
+
 (defun sasl-scram-client-first-message (client _step)
   (let ((c-nonce (sasl-unique-id)))
     (sasl-client-set-property client 'c-nonce c-nonce))
   (concat
-   ;; n = client doesn't support channel binding
-   "n,"
-   ;; TODO: where would we get authorization id from?
-   ","
+   (funcall sasl-scram-gs2-header-function client)
    (sasl-scram--client-first-message-bare client)))
 
 (defun sasl-scram--client-first-message-bare (client)
@@ -77,11 +84,11 @@ sasl-scram--client-final-message
 
 	 (c-nonce (sasl-client-property client 'c-nonce))
 	 ;; no channel binding, no authorization id
-	 (cbind-input "n,,"))
+         (cbind-input (funcall sasl-scram-gs2-header-function client)))
     (unless (string-prefix-p c-nonce nonce)
       (sasl-error "Invalid nonce from server"))
     (let* ((client-final-message-without-proof
-	    (concat "c=" (base64-encode-string cbind-input) ","
+            (concat "c=" (base64-encode-string cbind-input t) ","
 		    "r=" nonce))
 	   (password
 	    ;; TODO: either apply saslprep or disallow non-ASCII characters
@@ -113,7 +120,7 @@ sasl-scram--client-final-message
 	   (client-proof (funcall string-xor client-key client-signature))
 	   (client-final-message
 	    (concat client-final-message-without-proof ","
-		    "p=" (base64-encode-string client-proof))))
+                    "p=" (base64-encode-string client-proof t))))
       (sasl-client-set-property client 'auth-message auth-message)
       (sasl-client-set-property client 'salted-password salted-password)
       client-final-message)))
-- 
2.37.2


--=-=-=--




Acknowledgement sent to "J.P." <jp@HIDDEN>:
New bug report received and forwarded. Copy sent to emacs-erc@HIDDEN, bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to emacs-erc@HIDDEN, bug-gnu-emacs@HIDDEN:
bug#57956; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 20 Sep 2022 15:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.