1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1102327: irssi: CAP END sent prematurely causing pubkey auth to fai

    From Manny@21:1/5 to All on Mon Apr 7 19:10:01 2025
    Package: irssi
    Version: 1.4.3-2
    Severity: normal
    Tags: upstream
    X-Debbugs-Cc: debbug.irssi@sideload.33mail.com

    Apparently it is impossible for an IRSSI user to perform pubkey
    authentication if they also load the server_time.pl IRSSI
    script. The raw log looks like this:

    ===8<----------------------------------------
    << CAP LS 302
    << JOIN :
    :palladium.libera.chat NOTICE * :*** Ident disabled, not checking ident
    :palladium.libera.chat NOTICE * :*** Looking up your hostname...
    :palladium.libera.chat NOTICE * :*** Couldn't look up your hostname
    :palladium.libera.chat CAP * LS :account-notify away-notify chghost extended-join multi-prefix sasl=ECDSA-NIST256P-CHALLENGE,EXTERNAL,PLAIN,SCRAM-SHA-512 tls account-tag cap-notify echo-message server-time solanum.chat/identify-msg solanum.chat/oper
    solanum.chat/realhost
    << CAP REQ :sasl multi-prefix extended-join away-notify chghost account-notify server-time
    << CAP REQ :server-time
    :palladium.libera.chat 451 * :You have not registered
    :palladium.libera.chat CAP * ACK :sasl multi-prefix extended-join away-notify chghost account-notify server-time
    << AUTHENTICATE EXTERNAL
    :palladium.libera.chat CAP * ACK :server-time
    << CAP END
    ===8<----------------------------------------

    Notice the JOIN message. That has no business here. It creates noise
    and a 451 warning message. It’s a red herring and is not the cause of
    the underlying problems. Nonetheless, it’s a defect. We will call this
    sub bug 1.

    Packet capture shows that the raw log generated by IRSSI is incomplete
    (call this sub bug 2). In reality the server replies with
    “AUTHENTICATE +” but IRSSI sends “CAP END” before registration is complete. This causes the libera server to signal that SASL
    authentication failed, which is also missing from the raw log. IRSSI
    gives up and sends an RST packet. But then strangely IRSSI reports
    "connection lost", as if the connection were dropped by an external
    actor. I will label that sub bug 3.

    This is the output in the IRSSI status window: ===8<----------------------------------------
    [torlibera] -!- Irssi: Looking up 127.0.0.1
    [torlibera] -!- Irssi: Connecting to 127.0.0.1 [127.0.0.1] port 16001 [torlibera] -!- Irssi: Certificate Chain:
    [torlibera] -!- Irssi: Subject: CN: palladium.libera.chat
    [torlibera] -!- Irssi: Issuer: C: US, O: Let's Encrypt, CN: R10
    [torlibera] -!- Irssi: Subject: C: US, O: Let's Encrypt, CN: R10
    [torlibera] -!- Irssi: Issuer: C: US, O: Internet Security Research Group, CN: ISRG Root X1
    [torlibera] -!- Irssi: Protocol: TLSv1.3 (256 bit, TLS_AES_256_GCM_SHA384) [torlibera] -!- Irssi: EDH Key: 253 bit Unknown
    [torlibera] -!- Irssi: Public Key: 4096 bit RSA, valid from Feb 10 05:20:04 2025 GMT to May 11 05:20:03 2025 GMT
    [torlibera] -!- Irssi: Public Key Fingerprint:
    01:33:EE:35:80:B0:BB:7C:61:8D:56:9D:1B:98:69:14:F3:78:EB:D3:7A:3F:61:8F:C8:9F:AA:34:CF:DD:1E:62 (SHA256)
    [torlibera] -!- Irssi: Certificate Fingerprint:
    E6:5E:B7:CC:2D:3F:EA:53:58:88:2E:F5:1B:1B:E5:F4:B5:56:67:9C:E1:6F:85:FE:27:94:5C:10:89:22:E0:8F (SHA256)
    [torlibera] Waiting for CAP LS response...
    [torlibera] -!- Irssi: Connection to 127.0.0.1 established
    [torlibera] !palladium.libera.chat *** Ident disabled, not checking ident [torlibera] !palladium.libera.chat *** Looking up your hostname...
    [torlibera] !palladium.libera.chat *** Couldn't look up your hostname [torlibera] -!- Capabilities requested: sasl multi-prefix extended-join away-notify chghost account-notify server-time
    [torlibera] -!- Capabilities supported: account-notify away-notify chghost extended-join multi-prefix
    sasl=ECDSA-NIST256P-CHALLENGE,EXTERNAL,PLAIN,SCRAM-SHA-512 tls account-tag cap-notify echo-message server-time
    solanum.chat/identify-msg solanum.chat/oper solanum.chat/realhost [torlibera] -!- Capabilities acknowledged: sasl multi-prefix extended-join away-notify chghost account-notify server-time
    [torlibera] -!- Capabilities acknowledged: server-time
    -!- Irssi: Connection lost to 127.0.0.1 ===8<----------------------------------------

    To reproduce that, this is the relevant config stanza:

    ===8<----------------------------------------
    torlibera = {
    type = "IRC";
    nick = "manny";
    username = "manny";
    realname = "manny";
    sasl_mechanism = "external";
    };

    {
    address = "127.0.0.1";
    chatnet = "torlibera";
    port = "16001";
    use_tls = "yes";
    tls_cert = "~/certs/libera.pem";
    tls_verify = "no";
    tls_pinned_pubkey = "01:33:EE:35:80:B0:BB:7C:61:8D:56:9D:1B:98:69:14:F3:78:EB:D3:7A:3F:61:8F:C8:9F:AA:34:CF:DD:1E:62";
    }
    ===8<----------------------------------------

    It’s a tor session and IRSSI does not support proxies, so this is the
    wrapper script is used:

    ===8<----------------------------------------
    $ socat -T9999999 -s TCP4-LISTEN:16001,ignoreeof SOCKS4A:127.0.0.1:libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion:6697,socksport=9050,ignoreeof &
    $ socat_pid=$!
    $ irssi
    $ kill ${socat_pid}
    ===8<----------------------------------------

    NickServ on Libera is configured for the user’s pubkey fingerprint.

    In the raw log there are two consecutive “CAP REQ”s sent. The 2nd
    one is redundant and it’s caused by the mere presence of this file:

    ~/.irssi/scripts/server_time.pl

    I’ll tag that as sub bug 4. That file was installed in order to obtain correct message timestamps from ZNC-served connections.

    The CAP REQ redundancy somehow causes IRSSI to botch the CAP
    negotiation and mishandle the “AUTHENTICATE +” signal and send a
    premature CAP END which destroys the handshake. Calling this sub bug
    5.

    There are 5 bugs here:

    ① JOIN is strangely and needlessly sent after REQ LS
    ② raw log is incomplete and withholds 2 server messages
    ③ IRSSI reports “connection lost” but it was IRSSI that killed it
    ④ the server_time.pl script sends a redundant CAP REQ command
    ⑤ IRSSI fumbles the “AUTHENTICATE +” signal → premature CAP END

    * Workaround *

    The workaround is to remove ~/.irssi/scripts/server_time.pl. I stress workaround because although connectivity is possible by removing that
    file, it merely hides bugs 2—5.

    -- System Information:
    Debian Release: 12.10
    APT prefers stable-updates
    APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'stable'), (500, 'oldstable')
    Architecture: amd64 (x86_64)
    Foreign Architectures: i386

    Kernel: Linux 5.10.0-28-amd64 (SMP w/2 CPU threads)
    Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages irssi depends on:
    ii libc6 2.36-9+deb12u10
    ii libglib2.0-0 2.74.6-2+deb12u5
    ii libperl5.36 5.36.0-7+deb12u1
    ii libssl3 3.0.15-1~deb12u1
    ii libtinfo6 6.4-4
    ii perl 5.36.0-7+deb12u1
    ii perl-base [perlapi-5.36.0] 5.36.0-7+deb12u1

    irssi recommends no packages.

    Versions of packages irssi suggests:
    ii irssi-scripts 20220704

    -- no debconf information

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)