sopel-irc · half-duplex · Oct 23, 2022 · Oct 26, 2022 · Oct 26, 2022 · Aug 13, 2023
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ lint-style:
 	flake8
 
 lint-type:
-	mypy --check-untyped-defs sopel
+	mypy sopel
 
 .PHONY: test test_norecord test_novcr vcr_rerecord
 test:

diff --git a/docs/source/configuration.rst b/docs/source/configuration.rst
@@ -576,7 +576,7 @@ When :attr:`~CoreSection.server_auth_method` is defined the settings used are:
 * :attr:`~CoreSection.server_auth_username`: account's username
 * :attr:`~CoreSection.server_auth_password`: account's password
 * :attr:`~CoreSection.server_auth_sasl_mech`: the SASL mechanism to use
-  (defaults to ``PLAIN``; ``EXTERNAL`` is also available)
+  (default is ``PLAIN``; ``EXTERNAL`` and ``SCRAM-SHA-256`` are also available)
 
 For example, this will use NickServ ``IDENTIFY`` command and SASL mechanism::
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -52,6 +52,7 @@ dependencies = [
     "importlib_metadata>=3.6",
     "packaging>=23.2",
     "sopel-help>=0.4.0",
+    "scramp>=1.4.4,<2",
 ]
 
 [project.urls]
@@ -72,6 +73,16 @@ sopel-plugins = "sopel.cli.plugins:main"
 [project.entry-points.pytest11]
 pytest-sopel = "sopel.tests.pytest_plugin"
 
+[tool.mypy]
+check_untyped_defs = true
+plugins = "sqlalchemy.ext.mypy.plugin"
+show_error_codes = true
+
+# Remove once scramp has type stubs or annotations
+[[tool.mypy.overrides]]
+module = 'scramp.*'
+ignore_missing_imports = true
+
 [tool.pytest.ini_options]
 # NOTE: sopel/ is included here to include dynamically-generated tests
 testpaths = ["test", "sopel"]

diff --git a/setup.cfg b/setup.cfg
@@ -26,7 +26,3 @@ exclude =
     contrib/*,
     conftest.py
 no-accept-encodings = True
-
-[mypy]
-plugins = sqlalchemy.ext.mypy.plugin
-show_error_codes = True
diff --git a/sopel/config/core_section.py b/sopel/config/core_section.py
@@ -1191,12 +1191,16 @@ def homedir(self):
 
     :default: ``PLAIN``
 
-    ``EXTERNAL`` is also supported, e.g. for using :attr:`client_cert_file` to
-    authenticate via CertFP.
+    Supported mechanisms are:
+
+    * ``PLAIN``, to authenticate by sending a plaintext password
+    * ``EXTERNAL``, to authenticate using a TLS client certificate
+      (see :attr:`client_cert_file`)
+    * ``SCRAM-SHA-256``, for password-based challenge-response authentication
 
     .. versionadded:: 7.0
     .. versionchanged:: 8.0
-        Added support for SASL EXTERNAL mechanism.
+        Added support for SASL EXTERNAL and SCRAM-SHA-256 mechanisms.
     """
 
     server_auth_username = ValidatedAttribute('server_auth_username')

diff --git a/sopel/coretasks.py b/sopel/coretasks.py
@@ -23,6 +23,7 @@
 from __future__ import annotations
 
 import base64
+from binascii import Error as BinasciiError
 import collections
 import copy
 from datetime import datetime, timedelta, timezone
@@ -32,6 +33,9 @@
 import time
 from typing import Callable, Optional, TYPE_CHECKING
 
+from scramp import ScramClient, ScramException
+from scramp.core import ClientStage as ScramClientStage
+
 from sopel import config, plugin
 from sopel.irc import isupport, utils
 from sopel.tools import events, jobs, SopelMemory, target
@@ -106,7 +110,6 @@ def _handle_sasl_capability(
             'cannot authenticate with SASL.',
         )
         return plugin.CapabilityNegotiation.ERROR
-
     # Check SASL configuration (password is required)
     password, mech = _get_sasl_pass_and_mech(bot)
     if not password:
@@ -118,9 +121,18 @@ def _handle_sasl_capability(
     cap_info = bot.capabilities.get_capability_info('sasl')
     cap_params = cap_info.params
 
-    available_mechs = cap_params.split(',') if cap_params else []
+    server_mechs = cap_params.split(',') if cap_params else []
 
-    if available_mechs and mech not in available_mechs:
+    sopel_mechs = ["PLAIN", "EXTERNAL", "SCRAM-SHA-256"]
+    if mech not in sopel_mechs:
+        raise config.ConfigurationError(
+            'SASL mechanism "{mech}" is not supported by Sopel; '
+            'available mechanisms are: {available}.'.format(
+                mech=mech,
+                available=', '.join(sopel_mechs),
+            )
+        )
+    if server_mechs and mech not in server_mechs:
         # Raise an error if configured to use an unsupported SASL mechanism,
         # but only if the server actually advertised supported mechanisms,
         # i.e. this network supports SASL 3.2
@@ -129,11 +141,13 @@ def _handle_sasl_capability(
         # by the sasl_mechs() function
 
         # See https://github.com/sopel-irc/sopel/issues/1780 for background
+
+        common_mechs = set(sopel_mechs) & set(server_mechs)
         raise config.ConfigurationError(
             'SASL mechanism "{mech}" is not advertised by this server; '
             'available mechanisms are: {available}.'.format(
                 mech=mech,
-                available=', '.join(available_mechs),
+                available=', '.join(common_mechs),
             )
         )
 
@@ -1250,7 +1264,43 @@ def auth_proceed(bot, trigger):
             bot.write(('AUTHENTICATE', '*'))
             return
 
-    # TODO: Implement SCRAM challenges
+    elif mech == "SCRAM-SHA-256":
+        if trigger.args[0] == "+":
+            bot._scram_client = ScramClient([mech], sasl_username, sasl_password)
+            client_first = bot._scram_client.get_client_first()
+            LOGGER.info("Sending SASL SCRAM client first")
+            send_authenticate(bot, client_first)
+        elif bot._scram_client.stage == ScramClientStage.get_client_first:
+            try:
+                server_first = base64.b64decode(trigger.args[0]).decode("utf-8")
+                bot._scram_client.set_server_first(server_first)
+            except (BinasciiError, KeyError, ScramException) as e:
+                LOGGER.error("SASL SCRAM server_first failed: %r", e)
+                bot.write(("AUTHENTICATE", "*"))
+                return
+            if bot._scram_client.iterations < 4096:
+                LOGGER.warning(
+                    "SASL SCRAM iteration count is insecure, continuing anyway"
+                )
+            elif bot._scram_client.iterations >= 4_000_000:
+                LOGGER.warning(
+                    "SASL SCRAM iteration count is very high, this will be slow..."
+                )
+            client_final = bot._scram_client.get_client_final()
+            LOGGER.info("Sending SASL SCRAM client final")
+            send_authenticate(bot, client_final)
+        elif bot._scram_client.stage == ScramClientStage.get_client_final:
+            try:
+                server_final = base64.b64decode(trigger.args[0]).decode("utf-8")
+                bot._scram_client.set_server_final(server_final)
+            except (BinasciiError, KeyError, ScramException) as e:
+                LOGGER.error("SASL SCRAM server_final failed: %r", e)
+                bot.write(("AUTHENTICATE", "*"))
+                return
+            LOGGER.info("SASL SCRAM succeeded")
+            bot.write(("AUTHENTICATE", "+"))
+            bot._scram_client = None
+        return
 
 
 def _make_sasl_plain_token(account, password):