irc: add support of "ecdsa-nist256p-challenge" SASL mechanism (closes #…

…251)

ChangeLog.asciidoc

@@ -17,6 +17,7 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes]
 
 === New features
 
+* irc: add support of "ecdsa-nist256p-challenge" SASL mechanism (closes #251)
 * core: add priority in plugins to initialize them in order
 * doc: add Russian man page
 

doc/de/autogen/user/irc_options.asciidoc

@@ -568,13 +568,18 @@
 ** Typ: integer
 ** Werte: continue, reconnect, disconnect (Standardwert: `continue`)
 
+* [[option_irc.server_default.sasl_key]] *irc.server_default.sasl_key*
+** Beschreibung: `file with ECC private key for mechanism "ecdsa-nist256p-challenge" ("%h" will be replaced by WeeChat home, "~/.weechat" by default)`
+** Typ: Zeichenkette
+** Werte: beliebige Zeichenkette (Standardwert: `""`)
+
 * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism*
-** Beschreibung: `Verfahren welches bei einer SASL Authentifizierung angewandt werden soll: "plain" Passwort wird im Klartext gesendet, "dh-blowfish" Passwort wird mittels blowfish verschlüsselt, "dh-aes" Passwort wird mittels AES verschlüsselt, "external" SSL Zertifikat welches auf Client Seite vorliegt, wird verwendet`
+** Beschreibung: `mechanism for SASL authentication: "plain" for plain text password, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL cert, "dh-blowfish" for blowfish crypted password (insecure, not recommended), "dh-aes" for AES crypted password (insecure, not recommended)`
 ** Typ: integer
-** Werte: plain, dh-blowfish, dh-aes, external (Standardwert: `plain`)
+** Werte: plain, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes (Standardwert: `plain`)
 
 * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password*
-** Beschreibung: `Passwort für SASL Authentifikation (Hinweis: Inhalt wird evaluiert, siehe /help eval)`
+** Beschreibung: `password for SASL authentication; this option is not used for mechanisms "ecdsa-nist256p-challenge" and "external" (note: content is evaluated, see /help eval)`
 ** Typ: Zeichenkette
 ** Werte: beliebige Zeichenkette (Standardwert: `""`)
 
@@ -584,7 +589,7 @@
 ** Werte: 1 .. 3600 (Standardwert: `15`)
 
 * [[option_irc.server_default.sasl_username]] *irc.server_default.sasl_username*
-** Beschreibung: `Username für SASL Authentifikation (Hinweis: Inhalt wird evaluiert, siehe /help eval)`
+** Beschreibung: `username for SASL authentication; this option is not used for mechanism "external" (note: content is evaluated, see /help eval)`
 ** Typ: Zeichenkette
 ** Werte: beliebige Zeichenkette (Standardwert: `""`)
 

doc/de/weechat_user.de.asciidoc

@@ -102,7 +102,7 @@ welche Pakete optional genutzt werden können.
 | libcurl4-gnutls-dev               |             | *ja*     | URL Transfer
 | zlib1g-dev                        |             | *ja*     | Kompression für Pakete, die mittels Relay- (WeeChat Protokoll), Script-Erweiterung übertragen werden
 | libgcrypt20-dev                   |             | *ja*     | Geschützte Daten, IRC SASL Authentifikation (DH-BLOWFISH/DH-AES), Skript-Erweiterung
-| libgnutls28-dev                   | ≥ 2.2.0     |          | SSL Verbindung zu einem IRC Server, Unterstützung von SSL in der Relay-Erweiterung
+| libgnutls28-dev                   | ≥ 2.2.0     |          | SSL Verbindung zu einem IRC Server, Unterstützung von SSL in der Relay-Erweiterung, IRC SASL Authentifikation (ECDSA-NIST256P-CHALLENGE)
 | gettext                           |             |          | Internationalisierung (Übersetzung der Mitteilungen; Hauptsprache ist englisch)
 | ca-certificates                   |             |          | Zertifikate für SSL Verbindungen
 | libaspell-dev oder libenchant-dev |             |          | Aspell Erweiterung
@@ -2219,9 +2219,11 @@ Für weiterreichende Informationen lesen Sie bitte: http://www.oftc.net/oftc/Nic
 WeeChat unterstützt eine SASL Authentifikation, mittels verschiedener Mechanismen:
 
 * 'plain': Passwort liegt in Klarschrift vor (Standard)
+// TRANSLATION MISSING
+* 'ecdsa-nist256p-challenge': challenge with public/private key
+* 'external': SSL Zertifikat welches auf Client Seite vorliegt
 * 'dh-blowfish': Passwort wird mittels blowfish verschlüsselt
 * 'dh-aes': Passwort wird mittels AES verschlüsselt
-* 'external': SSL Zertifikat welches auf Client Seite vorliegt
 
 [NOTE]
 Die "gcrypt" Bibliothek wird beim kompilieren von WeeChat benötigt um
@@ -2231,8 +2233,12 @@ Optionen für Server sind:
 
 * 'sasl_mechanism': Mechanismus welcher genutzt werden soll (siehe oben)
 * 'sasl_timeout': Zeitüberschreitung für Authentifizierung (in Sekunden)
+// TRANSLATION MISSING
+* 'sasl_fail': action to perform if authentication fails
 * 'sasl_username': Username (Nickname)
 * 'sasl_password': Passwort
+// TRANSLATION MISSING
+* 'sasl_key': path to private key (for mechanism 'ecdsa-nist256p-challenge')
 
 [[irc_tor_freenode]]
 ==== Verbindung zu Freenode mittels TOR/SASL herstellen

doc/en/autogen/user/irc_options.asciidoc

@@ -568,13 +568,18 @@
 ** type: integer
 ** values: continue, reconnect, disconnect (default value: `continue`)
 
+* [[option_irc.server_default.sasl_key]] *irc.server_default.sasl_key*
+** description: `file with ECC private key for mechanism "ecdsa-nist256p-challenge" ("%h" will be replaced by WeeChat home, "~/.weechat" by default)`
+** type: string
+** values: any string (default value: `""`)
+
 * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism*
-** description: `mechanism for SASL authentication: "plain" for plain text password, "dh-blowfish" for blowfish crypted password, "dh-aes" for AES crypted password, "external" for authentication using client side SSL cert`
+** description: `mechanism for SASL authentication: "plain" for plain text password, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL cert, "dh-blowfish" for blowfish crypted password (insecure, not recommended), "dh-aes" for AES crypted password (insecure, not recommended)`
 ** type: integer
-** values: plain, dh-blowfish, dh-aes, external (default value: `plain`)
+** values: plain, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes (default value: `plain`)
 
 * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password*
-** description: `password for SASL authentication (note: content is evaluated, see /help eval)`
+** description: `password for SASL authentication; this option is not used for mechanisms "ecdsa-nist256p-challenge" and "external" (note: content is evaluated, see /help eval)`
 ** type: string
 ** values: any string (default value: `""`)
 
@@ -584,7 +589,7 @@
 ** values: 1 .. 3600 (default value: `15`)
 
 * [[option_irc.server_default.sasl_username]] *irc.server_default.sasl_username*
-** description: `username for SASL authentication (note: content is evaluated, see /help eval)`
+** description: `username for SASL authentication; this option is not used for mechanism "external" (note: content is evaluated, see /help eval)`
 ** type: string
 ** values: any string (default value: `""`)
 

doc/en/weechat_user.en.asciidoc

@@ -95,7 +95,7 @@ compile WeeChat.
 | libcurl4-gnutls-dev             |             | *yes*    | URL transfer
 | zlib1g-dev                      |             | *yes*    | Compression of packets in relay plugin (weechat protocol), script plugin
 | libgcrypt20-dev                 |             | *yes*    | Secured data, IRC SASL authentication (DH-BLOWFISH/DH-AES), script plugin
-| libgnutls28-dev                 | ≥ 2.2.0     |          | SSL connection to IRC server, support of SSL in relay plugin
+| libgnutls28-dev                 | ≥ 2.2.0     |          | SSL connection to IRC server, support of SSL in relay plugin, IRC SASL authentication (ECDSA-NIST256P-CHALLENGE)
 | gettext                         |             |          | Internationalization (translation of messages; base language is English)
 | ca-certificates                 |             |          | Certificates for SSL connections
 | libaspell-dev or libenchant-dev |             |          | Aspell plugin
@@ -2168,9 +2168,10 @@ For more information, look at http://www.oftc.net/oftc/NickServ/CertFP
 WeeChat supports SASL authentication, using different mechanisms:
 
 * 'plain': plain text password (default)
+* 'ecdsa-nist256p-challenge': challenge with public/private key
+* 'external': client side SSL cert
 * 'dh-blowfish': blowfish encrypted password
 * 'dh-aes': AES encrypted password
-* 'external': client side SSL cert
 
 [NOTE]
 The "gcrypt" library is required when compiling WeeChat in order to use
@@ -2180,8 +2181,10 @@ Options in servers are:
 
 * 'sasl_mechanism': mechanism to use (see above)
 * 'sasl_timeout': timeout (in seconds) for authentication
+* 'sasl_fail': action to perform if authentication fails
 * 'sasl_username': username (nick)
 * 'sasl_password': password
+* 'sasl_key': path to private key (for mechanism 'ecdsa-nist256p-challenge')
 
 [[irc_tor_freenode]]
 ==== Connect to Freenode with TOR/SASL

doc/fr/autogen/user/irc_options.asciidoc

@@ -568,13 +568,18 @@
 ** type: entier
 ** valeurs: continue, reconnect, disconnect (valeur par défaut: `continue`)
 
+* [[option_irc.server_default.sasl_key]] *irc.server_default.sasl_key*
+** description: `fichier avec la clé privée ECC pour le mécanisme "ecdsa-nist256p-challenge" ("%h" sera remplacé par le répertoire de base WeeChat, par défaut : "~/.weechat")`
+** type: chaîne
+** valeurs: toute chaîne (valeur par défaut: `""`)
+
 * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism*
-** description: `mécanisme pour l'authentification SASL : "plain" pour un mot de passe en clair, "dh-blowfish" pour un mot de passe chiffré avec blowfish, "dh-aes" pour un mot de passe chiffré avec AES, "external" pour une authentification en utilisant un certificat SSL côté client`
+** description: `mécanisme pour l'authentification SASL : "plain" pour un mot de passe en clair, "ecdsa-nist256p-challenge" pour une authentification par challenge avec clé, "external" pour une authentification en utilisant un certificat SSL côté client, "dh-blowfish" pour un mot de passe chiffré avec blowfish (non sûr, non recommandé), "dh-aes" pour un mot de passe chiffré avec AES (non sûr, non recommandé)`
 ** type: entier
-** valeurs: plain, dh-blowfish, dh-aes, external (valeur par défaut: `plain`)
+** valeurs: plain, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes (valeur par défaut: `plain`)
 
 * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password*
-** description: `mot de passe pour l'authentification SASL (note : le contenu est évalué, voir /help eval)`
+** description: `mot de passe pour l'authentification SASL ; cette option n'est pas utilisée pour les mécanismes "ecdsa-nist256p-challenge" et "external" (note : le contenu est évalué, voir /help eval)`
 ** type: chaîne
 ** valeurs: toute chaîne (valeur par défaut: `""`)
 
@@ -584,7 +589,7 @@
 ** valeurs: 1 .. 3600 (valeur par défaut: `15`)
 
 * [[option_irc.server_default.sasl_username]] *irc.server_default.sasl_username*
-** description: `nom d'utilisateur pour l'authentification SASL (note : le contenu est évalué, voir /help eval)`
+** description: `nom d'utilisateur pour l'authentification SASL ; cette option n'est pas utilisée pour le mécanisme "external" (note : le contenu est évalué, voir /help eval)`
 ** type: chaîne
 ** valeurs: toute chaîne (valeur par défaut: `""`)
 

doc/fr/weechat_user.fr.asciidoc

@@ -97,7 +97,7 @@ compiler WeeChat.
 | libcurl4-gnutls-dev             |             | *oui*  | Transfert d'URL
 | zlib1g-dev                      |             | *oui*  | Compression des paquets dans l'extension relay (protocole weechat), extension script
 | libgcrypt20-dev                 |             | *oui*  | Données sécurisées, authentification IRC SASL (DH-BLOWFISH/DH-AES), extension script
-| libgnutls28-dev                 | ≥ 2.2.0     |        | Connexion SSL au serveur IRC, support SSL dans l'extension relay
+| libgnutls28-dev                 | ≥ 2.2.0     |        | Connexion SSL au serveur IRC, support SSL dans l'extension relay, authentification IRC SASL (ECDSA-NIST256P-CHALLENGE)
 | gettext                         |             |        | Internationalisation (traduction des messages; la langue de base est l'anglais)
 | ca-certificates                 |             |        | Certificats pour les connexions SSL
 | libaspell-dev ou libenchant-dev |             |        | Extension aspell
@@ -2242,9 +2242,11 @@ WeeChat supporte l'authentification avec SASL, en utilisant différents
 mécanismes :
 
 * 'plain' : mot de passe en clair (par défaut)
+// TRANSLATION MISSING
+* 'ecdsa-nist256p-challenge' : challenge avec clé publique/privée
+* 'external' : certificat SSL côté client
 * 'dh-blowfish' : mot de passe chiffré avec blowfish
 * 'dh-aes' : mot de passe chiffré avec AES
-* 'external' : certificat SSL côté client
 
 [NOTE]
 La librairie "gcrypt" est requise lors de la compilation de WeeChat pour
@@ -2254,8 +2256,11 @@ Les options dans le serveur sont :
 
 * 'sasl_mechanism' : mécanisme à utiliser (voir ci-dessus)
 * 'sasl_timeout' : délai d'attente maximum (en secondes) pour l'authentification
+* 'sasl_fail' : action à effectuer si l'authentification échoue
 * 'sasl_username' : nom d'utilisateur (pseudo)
 * 'sasl_password' : mot de passe
+* 'sasl_key' : chemin vers la clé privée (pour le mécanisme
+  'ecdsa-nist256p-challenge')
 
 [[irc_tor_freenode]]
 ==== Connexion à Freenode avec TOR/SASL

doc/it/autogen/user/irc_options.asciidoc

@@ -568,13 +568,18 @@
 ** tipo: intero
 ** valori: continue, reconnect, disconnect (valore predefinito: `continue`)
 
+* [[option_irc.server_default.sasl_key]] *irc.server_default.sasl_key*
+** descrizione: `file with ECC private key for mechanism "ecdsa-nist256p-challenge" ("%h" will be replaced by WeeChat home, "~/.weechat" by default)`
+** tipo: stringa
+** valori: qualsiasi stringa (valore predefinito: `""`)
+
 * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism*
-** descrizione: `meccanismo per l'autenticazione SASL: "plain" per le password in chiaro, "dh-blowfish" per le password cifrate in blowfish, "dh-aes" per le password cifrate in AES  "external" per l'autenticazione con certificati SSL lato client`
+** descrizione: `mechanism for SASL authentication: "plain" for plain text password, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL cert, "dh-blowfish" for blowfish crypted password (insecure, not recommended), "dh-aes" for AES crypted password (insecure, not recommended)`
 ** tipo: intero
-** valori: plain, dh-blowfish, dh-aes, external (valore predefinito: `plain`)
+** valori: plain, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes (valore predefinito: `plain`)
 
 * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password*
-** descrizione: `password per l'autenticazione SASL (nota: il contenuto viene valutato, consultare /help eval)`
+** descrizione: `password for SASL authentication; this option is not used for mechanisms "ecdsa-nist256p-challenge" and "external" (note: content is evaluated, see /help eval)`
 ** tipo: stringa
 ** valori: qualsiasi stringa (valore predefinito: `""`)
 
@@ -584,7 +589,7 @@
 ** valori: 1 .. 3600 (valore predefinito: `15`)
 
 * [[option_irc.server_default.sasl_username]] *irc.server_default.sasl_username*
-** descrizione: `nome utente per l'autenticazione SASL (nota: il contenuto viene valutato, consultare /help eval)`
+** descrizione: `username for SASL authentication; this option is not used for mechanism "external" (note: content is evaluated, see /help eval)`
 ** tipo: stringa
 ** valori: qualsiasi stringa (valore predefinito: `""`)
 

doc/it/weechat_user.it.asciidoc

@@ -112,7 +112,7 @@ compilare WeeChat.
 // TRANSLATION MISSING
 | libgcrypt20-dev                |             | *sì*      | Secured data, IRC SASL authentication (DH-BLOWFISH/DH-AES), script plugin
 // TRANSLATION MISSING
-| libgnutls28-dev                | ≥ 2.2.0     |           | Connessione SSL al server IRC, support of SSL in relay plugin
+| libgnutls28-dev                | ≥ 2.2.0     |           | Connessione SSL al server IRC, support of SSL in relay plugin, IRC SASL authentication (ECDSA-NIST256P-CHALLENGE)
 | gettext                        |             |           | Internazionalizzazione (traduzione dei messaggi; la lingua base è l'inglese)
 | ca-certificates                |             |           | Certificati per le connessioni SSL
 | libaspell-dev o libenchant-dev |             |           | Plugin aspell
@@ -2278,10 +2278,12 @@ WeeChat supports SASL authentication, using different mechanisms:
 // TRANSLATION MISSING
 * 'plain': password in chiaro (default)
 // TRANSLATION MISSING
+* 'ecdsa-nist256p-challenge': challenge with public/private key
+* 'external': certificato SSL da lato client
+// TRANSLATION MISSING
 * 'dh-blowfish': blowfish encrypted password
 // TRANSLATION MISSING
 * 'dh-aes': AES encrypted password
-* 'external': certificato SSL da lato client
 
 [NOTE]
 La libreria "gcrypt" è richiesta per compilare WeeChat al fine di usare il
@@ -2292,8 +2294,12 @@ Le opzioni nel server sono:
 // TRANSLATION MISSING
 * 'sasl_mechanism': meccanismo da usare (see above)
 * 'sasl_timeout': timeout (in secondi) per l'autenticazione
+// TRANSLATION MISSING
+* 'sasl_fail': action to perform if authentication fails
 * 'sasl_username': nome utente (nick)
 * 'sasl_password': password
+// TRANSLATION MISSING
+* 'sasl_key': path to private key (for mechanism 'ecdsa-nist256p-challenge')
 
 [[irc_tor_freenode]]
 ==== Connessione a Freenode con TOR/SASL

doc/ja/autogen/user/irc_options.asciidoc

@@ -568,13 +568,18 @@
 ** タイプ: 整数
 ** 値: continue, reconnect, disconnect (デフォルト値: `continue`)
 
+* [[option_irc.server_default.sasl_key]] *irc.server_default.sasl_key*
+** 説明: `file with ECC private key for mechanism "ecdsa-nist256p-challenge" ("%h" will be replaced by WeeChat home, "~/.weechat" by default)`
+** タイプ: 文字列
+** 値: 未制約文字列 (デフォルト値: `""`)
+
 * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism*
-** 説明: `SASL 認証メカニズム: "plain" は平文パスワード、"dh-blowfish" は blowfish 暗号化パスワード、"dh-aes" は AES 暗号化パスワード、"external" はクライアント側の SSL 証明書を利用した認証`
+** 説明: `mechanism for SASL authentication: "plain" for plain text password, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL cert, "dh-blowfish" for blowfish crypted password (insecure, not recommended), "dh-aes" for AES crypted password (insecure, not recommended)`
 ** タイプ: 整数
-** 値: plain, dh-blowfish, dh-aes, external (デフォルト値: `plain`)
+** 値: plain, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes (デフォルト値: `plain`)
 
 * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password*
-** 説明: `SASL 認証のパスワード (注意: 値は評価されます、/help eval を参照してください)`
+** 説明: `password for SASL authentication; this option is not used for mechanisms "ecdsa-nist256p-challenge" and "external" (note: content is evaluated, see /help eval)`
 ** タイプ: 文字列
 ** 値: 未制約文字列 (デフォルト値: `""`)
 
@@ -584,7 +589,7 @@
 ** 値: 1 .. 3600 (デフォルト値: `15`)
 
 * [[option_irc.server_default.sasl_username]] *irc.server_default.sasl_username*
-** 説明: `SASL 認証のユーザ名 (注意: 値は評価されます、/help eval を参照してください)`
+** 説明: `username for SASL authentication; this option is not used for mechanism "external" (note: content is evaluated, see /help eval)`
 ** タイプ: 文字列
 ** 値: 未制約文字列 (デフォルト値: `""`)