From bf0b4947578ef3d5b48624c8800e63ef5cb30b66 Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Tue, 21 Mar 2023 18:43:44 +0100 Subject: [PATCH 1/4] Add sasl-ir extension --- extensions/sasl-ir.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 extensions/sasl-ir.md diff --git a/extensions/sasl-ir.md b/extensions/sasl-ir.md new file mode 100644 index 000000000..94f2613ab --- /dev/null +++ b/extensions/sasl-ir.md @@ -0,0 +1,43 @@ +--- +title: SASL initial response +layout: spec +copyrights: + - + name: "Simon Ser" + period: "2023" + email: "contact@emersion.fr" +--- + +## Notes for implementing work-in-progress version + +This is a work-in-progress specification. + +Software implementing this work-in-progress specification MUST NOT use the unprefixed `sasl-ir` CAP name. Instead, implementations SHOULD use the `draft/sasl-ir` CAP name to be interoperable with other software implementing a compatible work-in-progress version. The final version of the specification will use unprefixed CAP names. + +## Introduction + +Clients can use the [SASL extension](sasl-3.1.html) to authenticate against IRC servers. Some SASL mechanisms are client-first, ie. the client sends an initial response to start the authentication exchange. + +This extension updates the first `AUTHENTICATE` command to accept an initial response, to avoid a roundtrip in the SASL exchange. + +## Implementation + +Servers supporting this extension MUST advertise the `sasl-ir` capability. Servers MUST accept the new form of the `AUTHENTICATE` command even if the capability hasn't been explciitly enabled by the client. + +The initial `AUTHENTICATE` command is extended to accept an extra argument for the initial response: + + AUTHENTICATE [initial-response] + +The initial response is optional. When provided, the initial response MUST be encoded as defined by SASL 3.1 (base64 or `+` with a maximum size of 400 bytes). If the initial response is larger than 400 bytes, the client MUST send separate `AUTHENTICATE` commands as usual with the rest of the chunks. + +An `AUTHENTICATE` command with an initial response is equivalent to the following exchange: + + C: AUTHENTICATE + S: AUTHENTICATE + + C: AUTHENTICATE + +## Example protocol exchange + + C: AUTHENTICATE PLAIN amlsbGVzAGppbGxlcwBzZXNhbWU= + S: :irc.example.org 900 emersion emersion!emersion@emersion.fr emersion :You are now logged in as emersion + S: :irc.example.org 903 emersion :SASL authentication successful From fe47763471f8fb236209888c87314a60aaa643c1 Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Tue, 21 Mar 2023 19:36:21 +0100 Subject: [PATCH 2/4] Update extensions/sasl-ir.md Co-authored-by: dgw --- extensions/sasl-ir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/sasl-ir.md b/extensions/sasl-ir.md index 94f2613ab..c2b91e170 100644 --- a/extensions/sasl-ir.md +++ b/extensions/sasl-ir.md @@ -16,7 +16,7 @@ Software implementing this work-in-progress specification MUST NOT use the unpre ## Introduction -Clients can use the [SASL extension](sasl-3.1.html) to authenticate against IRC servers. Some SASL mechanisms are client-first, ie. the client sends an initial response to start the authentication exchange. +Clients can use the [SASL extension](sasl-3.1.html) to authenticate against IRC servers. Some SASL mechanisms are client-first, i.e. the client sends an initial response to start the authentication exchange. This extension updates the first `AUTHENTICATE` command to accept an initial response, to avoid a roundtrip in the SASL exchange. From 88d9a1ba2b53d9e75c7bb8f60652ae70af272fbe Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Tue, 21 Mar 2023 19:42:48 +0100 Subject: [PATCH 3/4] Address val's comments --- extensions/sasl-ir.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/extensions/sasl-ir.md b/extensions/sasl-ir.md index c2b91e170..c58878679 100644 --- a/extensions/sasl-ir.md +++ b/extensions/sasl-ir.md @@ -22,13 +22,13 @@ This extension updates the first `AUTHENTICATE` command to accept an initial res ## Implementation -Servers supporting this extension MUST advertise the `sasl-ir` capability. Servers MUST accept the new form of the `AUTHENTICATE` command even if the capability hasn't been explciitly enabled by the client. +Servers supporting this extension MUST advertise the `draft/sasl-ir` capability. Servers MUST accept the new form of the `AUTHENTICATE` command even if the capability hasn't been explciitly enabled by the client. The initial `AUTHENTICATE` command is extended to accept an extra argument for the initial response: AUTHENTICATE [initial-response] -The initial response is optional. When provided, the initial response MUST be encoded as defined by SASL 3.1 (base64 or `+` with a maximum size of 400 bytes). If the initial response is larger than 400 bytes, the client MUST send separate `AUTHENTICATE` commands as usual with the rest of the chunks. +The initial response is optional. When provided, the initial response MUST be encoded as defined by SASL 3.1 (base64 or `+` with a maximum size of 400 bytes). If the initial response is larger than 400 bytes, the client MUST send separate `AUTHENTICATE` commands as usual with the rest of the chunks (without repeating the mechanism name). An `AUTHENTICATE` command with an initial response is equivalent to the following exchange: @@ -38,6 +38,15 @@ An `AUTHENTICATE` command with an initial response is equivalent to the followin ## Example protocol exchange +When the initial response fits into the 400 byte limit: + C: AUTHENTICATE PLAIN amlsbGVzAGppbGxlcwBzZXNhbWU= S: :irc.example.org 900 emersion emersion!emersion@emersion.fr emersion :You are now logged in as emersion S: :irc.example.org 903 emersion :SASL authentication successful + +When the initial response needs to be split into multiple chunks: + + C: AUTHENTICATE PLAIN AGVtZXJzaW9uAEFyY2hpdGVjdG8gc2VkIHNpdCBwcmFlc2VudGl1bSBhbWV0LiBBZGlwaXNjaSBzdW50IGRpc3RpbmN0aW8gZmFjZXJlIHF1aSBjb3JydXB0aS4gU2l0IGF1dCBzaXQgZXNzZSBhc3Blcm5hdHVyLiBBbGlhcyB2b2x1cHRhdGVzIGV0IHZvbHVwdGF0ZSB0ZW5ldHVyIHF1by4gQXQgaWxsdW0gcmVtIHF1aWEgcXVpYSBxdWlzcXVhbSBjdW1xdWUuIElzdGUgdm9sdXB0YXMgbmloaWwgYXV0LiBWb2x1cHRhdGVtIHBhcmlhdHVyIGFjY3VzYW11cyBhdXQuIFZvbHVwdGF0ZSBldCB2ZWwgYXV0ZW0gc2l0IHF1aWEgZXhwbGljYWJvIGVuaW0gZW5pbS4gTGFib3Jpb3NhbSB0b3RhbSBuaXNpIHF1aSBhZCBub2JpcyB0ZW1wb3JhIGRvbG9ydW0uIFBhcmlhdHVyIGV0IGNvbnNlY3RldHVyIHNpbnQuIA== + C: AUTHENTICATE SXRhcXVlIHJlaWNpZW5kaXMgZXQgZnVnaWF0IGZhY2VyZSB2ZW5pYW0gcmVjdXNhbmRhZSBkb2xvcmVtIGRlc2VydW50LiBUZW5ldHVyIGN1bSBjdWxwYSBhdHF1ZSBhcmNoaXRlY3RvIGFiIG1heGltZS4= + S: :irc.example.org 900 emersion emersion!emersion@emersion.fr emersion :You are now logged in as emersion + S: :irc.example.org 903 emersion :SASL authentication successful From 8e39b42cc0e48b46174ba926f8462761e4dc7514 Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Fri, 24 Mar 2023 16:09:33 +0100 Subject: [PATCH 4/4] Update extensions/sasl-ir.md Co-authored-by: Sadie Powell --- extensions/sasl-ir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/sasl-ir.md b/extensions/sasl-ir.md index c58878679..ec4a58c6a 100644 --- a/extensions/sasl-ir.md +++ b/extensions/sasl-ir.md @@ -22,7 +22,7 @@ This extension updates the first `AUTHENTICATE` command to accept an initial res ## Implementation -Servers supporting this extension MUST advertise the `draft/sasl-ir` capability. Servers MUST accept the new form of the `AUTHENTICATE` command even if the capability hasn't been explciitly enabled by the client. +Servers supporting this extension MUST advertise the `draft/sasl-ir` capability. Servers MUST accept the new form of the `AUTHENTICATE` command even if the capability hasn't been explicitly enabled by the client. The initial `AUTHENTICATE` command is extended to accept an extra argument for the initial response: