diff --git a/po/de.po b/po/de.po
index 6ea54e8b..d0e152ef 100644
--- a/po/de.po
+++ b/po/de.po
@@ -367,6 +367,14 @@ msgstr "Aufgelöst zu:"
msgid "Looking up %s..."
msgstr "Schlage %s nach …"
+#: src/common/inbound.c:1992
+msgid "Could not create SCRAM session with digest %s"
+msgstr "Es konnte keine SCRAM-Sitzung mit der Hashfunktion %s erstellt werden"
+
+#: src/common/inbound.c:2024
+msgid "SASL SCRAM authentication failed: %s"
+msgstr "SASL SCRAM Authentifizierung fehlgeschlagen: %s"
+
#: src/common/notify.c:559
#, c-format
msgid " %-20s online\n"
diff --git a/po/en_GB.po b/po/en_GB.po
index 4acd694a..99775c0e 100644
--- a/po/en_GB.po
+++ b/po/en_GB.po
@@ -346,6 +346,14 @@ msgstr "Resolved to:"
msgid "Looking up %s..."
msgstr "Looking up %s..."
+#: src/common/inbound.c:1992
+msgid "Could not create SCRAM session with digest %s"
+msgstr "Could not create SCRAM session with digest %s"
+
+#: src/common/inbound.c:2024
+msgid "SASL SCRAM authentication failed: %s"
+msgstr "SASL SCRAM authentication failed: %s"
+
#: src/common/notify.c:559
#, c-format
msgid " %-20s online\n"
diff --git a/po/it.po b/po/it.po
index 966c6dcf..76f04720 100644
--- a/po/it.po
+++ b/po/it.po
@@ -343,6 +343,14 @@ msgstr "Risolto a:"
msgid "Looking up %s..."
msgstr "Ricerca di %s..."
+#: src/common/inbound.c:1992
+msgid "Could not create SCRAM session with digest %s"
+msgstr "Impossibile creare una sessione SCRAM con la funzione hash %s"
+
+#: src/common/inbound.c:2024
+msgid "SASL SCRAM authentication failed: %s"
+msgstr "SASL SCRAM autenticazione fallita: %s"
+
#: src/common/notify.c:559
#, c-format
msgid " %-20s online\n"
diff --git a/src/common/common.vcxproj b/src/common/common.vcxproj
index bc191f43..c91d8cbb 100644
--- a/src/common/common.vcxproj
+++ b/src/common/common.vcxproj
@@ -36,6 +36,7 @@
+
@@ -69,6 +70,7 @@
+
diff --git a/src/common/hexchat.h b/src/common/hexchat.h
index 1b86f588..5ead96d1 100644
--- a/src/common/hexchat.h
+++ b/src/common/hexchat.h
@@ -41,6 +41,7 @@
#ifdef USE_OPENSSL
#include /* SSL_() */
+#include "scram.h"
#endif
#ifdef __EMX__ /* for o/s 2 */
@@ -430,6 +431,9 @@ typedef struct session
/* SASL Mechanisms */
#define MECH_PLAIN 0
#define MECH_EXTERNAL 1
+#define MECH_SCRAM_SHA_1 2
+#define MECH_SCRAM_SHA_256 3
+#define MECH_SCRAM_SHA_512 4
typedef struct server
{
@@ -585,6 +589,7 @@ typedef struct server
#ifdef USE_OPENSSL
unsigned int use_ssl:1; /* is server SSL capable? */
unsigned int accept_invalid_cert:1;/* ignore result of server's cert. verify */
+ scram_session *scram_session; /* session for SASL SCRAM authentication */
#endif
} server;
diff --git a/src/common/inbound.c b/src/common/inbound.c
index 78a126f7..9b38f7c7 100644
--- a/src/common/inbound.c
+++ b/src/common/inbound.c
@@ -1648,7 +1648,10 @@ inbound_identified (server *serv) /* 'MODE +e MYSELF' on freenode */
static const char *sasl_mechanisms[] =
{
"PLAIN",
- "EXTERNAL"
+ "EXTERNAL",
+ "SCRAM-SHA-1",
+ "SCRAM-SHA-256",
+ "SCRAM-SHA-512"
};
static void
@@ -1689,6 +1692,12 @@ inbound_toggle_caps (server *serv, const char *extensions_str, gboolean enable)
#ifdef USE_OPENSSL
if (serv->loginmethod == LOGIN_SASLEXTERNAL)
serv->sasl_mech = MECH_EXTERNAL;
+ else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_1)
+ serv->sasl_mech = MECH_SCRAM_SHA_1;
+ else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_256)
+ serv->sasl_mech = MECH_SCRAM_SHA_256;
+ else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_512)
+ serv->sasl_mech = MECH_SCRAM_SHA_512;
#endif
/* Mechanism either defaulted to PLAIN or server gave us list */
tcp_sendf (serv, "AUTHENTICATE %s\r\n", sasl_mechanisms[serv->sasl_mech]);
@@ -1766,6 +1775,30 @@ get_supported_mech (server *serv, const char *list)
break;
}
}
+ else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_1)
+ {
+ if (!strcmp(mechs[i], "SCRAM-SHA-1"))
+ {
+ ret = MECH_SCRAM_SHA_1;
+ break;
+ }
+ }
+ else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_256)
+ {
+ if (!strcmp(mechs[i], "SCRAM-SHA-256"))
+ {
+ ret = MECH_SCRAM_SHA_256;
+ break;
+ }
+ }
+ else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_512)
+ {
+ if (!strcmp(mechs[i], "SCRAM-SHA-512"))
+ {
+ ret = MECH_SCRAM_SHA_512;
+ break;
+ }
+ }
else
#endif
if (!strcmp (mechs[i], "PLAIN"))
@@ -1821,7 +1854,11 @@ inbound_cap_ls (server *serv, char *nick, char *extensions_str,
/* if the SASL password is set AND auth mode is set to SASL, request SASL auth */
if (!g_strcmp0 (extension, "sasl") &&
- ((serv->loginmethod == LOGIN_SASL && strlen (serv->password) != 0)
+ (((serv->loginmethod == LOGIN_SASL
+ || serv->loginmethod == LOGIN_SASL_SCRAM_SHA_1
+ || serv->loginmethod == LOGIN_SASL_SCRAM_SHA_256
+ || serv->loginmethod == LOGIN_SASL_SCRAM_SHA_512)
+ && strlen (serv->password) != 0)
|| serv->loginmethod == LOGIN_SASLEXTERNAL))
{
if (value)
@@ -1902,7 +1939,7 @@ inbound_cap_list (server *serv, char *nick, char *extensions,
}
static void
-plain_authenticate(server *serv, char *user, char *password)
+plain_authenticate (server *serv, char *user, char *password)
{
char *pass = encode_sasl_pass_plain (user, password);
@@ -1933,11 +1970,71 @@ plain_authenticate(server *serv, char *user, char *password)
tcp_sendf (serv, "AUTHENTICATE +\r\n");
}
+#ifdef USE_OPENSSL
+/*
+ * Sends AUTHENTICATE messages to log in via SCRAM.
+ */
+static void
+scram_authenticate (server *serv, const char *data, const char *digest,
+ const char *user, const char *password)
+{
+ char *encoded, *decoded, *output;
+ scram_status status;
+ size_t output_len;
+ gsize decoded_len;
+
+ if (serv->scram_session == NULL)
+ {
+ serv->scram_session = scram_create_session (digest, user, password);
+
+ if (serv->scram_session == NULL)
+ {
+ PrintTextf (serv->server_session, _("Could not create SCRAM session with digest %s"), digest);
+ g_warning ("Could not create SCRAM session with digest %s", digest);
+ tcp_sendf (serv, "AUTHENTICATE *\r\n");
+ return;
+ }
+ }
+
+ decoded = g_base64_decode (data, &decoded_len);
+ status = scram_process (serv->scram_session, decoded, &output, &output_len);
+ g_free (decoded);
+
+ if (status == SCRAM_IN_PROGRESS)
+ {
+ // Authentication is still in progress
+ encoded = g_base64_encode ((guchar *) output, output_len);
+ tcp_sendf (serv, "AUTHENTICATE %s\r\n", encoded);
+ g_free (encoded);
+ g_free (output);
+ }
+ else if (status == SCRAM_SUCCESS)
+ {
+ // Authentication succeeded
+ tcp_sendf (serv, "AUTHENTICATE +\r\n");
+ g_clear_pointer (&serv->scram_session, scram_free_session);
+ }
+ else if (status == SCRAM_ERROR)
+ {
+ // Authentication failed
+ tcp_sendf (serv, "AUTHENTICATE *\r\n");
+
+ if (serv->scram_session->error != NULL)
+ {
+ PrintTextf (serv->server_session, _("SASL SCRAM authentication failed: %s"), serv->scram_session->error);
+ g_info ("SASL SCRAM authentication failed: %s", serv->scram_session->error);
+ }
+
+ g_clear_pointer (&serv->scram_session, scram_free_session);
+ }
+}
+#endif
+
void
inbound_sasl_authenticate (server *serv, char *data)
{
ircnet *net = (ircnet*)serv->network;
- char *user, *pass = NULL;
+ char *user;
const char *mech = sasl_mechanisms[serv->sasl_mech];
/* Got a list of supported mechanisms from outdated inspircd
@@ -1959,6 +2056,15 @@ inbound_sasl_authenticate (server *serv, char *data)
case MECH_EXTERNAL:
tcp_sendf (serv, "AUTHENTICATE +\r\n");
break;
+ case MECH_SCRAM_SHA_1:
+ scram_authenticate(serv, data, "SHA1", user, serv->password);
+ return;
+ case MECH_SCRAM_SHA_256:
+ scram_authenticate(serv, data, "SHA256", user, serv->password);
+ return;
+ case MECH_SCRAM_SHA_512:
+ scram_authenticate(serv, data, "SHA512", user, serv->password);
+ return;
#endif
}
@@ -1969,6 +2075,9 @@ inbound_sasl_authenticate (server *serv, char *data)
void
inbound_sasl_error (server *serv)
{
+#ifdef USE_OPENSSL
+ g_clear_pointer (&serv->scram_session, scram_free_session);
+#endif
/* Just abort, not much we can do */
tcp_sendf (serv, "AUTHENTICATE *\r\n");
}
diff --git a/src/common/meson.build b/src/common/meson.build
index 84e2fca3..35db2c27 100644
--- a/src/common/meson.build
+++ b/src/common/meson.build
@@ -15,6 +15,7 @@ common_sources = [
'plugin-identd.c',
'plugin-timer.c',
'proto-irc.c',
+ 'scram.c',
'server.c',
'servlist.c',
'text.c',
diff --git a/src/common/scram.c b/src/common/scram.c
new file mode 100644
index 00000000..529abd5d
--- /dev/null
+++ b/src/common/scram.c
@@ -0,0 +1,323 @@
+/* HexChat
+ * Copyright (C) 2023 Patrick Okraku
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#include "hexchat.h"
+
+#ifdef USE_OPENSSL
+
+#include "scram.h"
+#include
+#include
+
+#define NONCE_LENGTH 18
+#define CLIENT_KEY "Client Key"
+#define SERVER_KEY "Server Key"
+
+// EVP_MD_CTX_create() and EVP_MD_CTX_destroy() were renamed in OpenSSL 1.1.0
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#define EVP_MD_CTX_new(ctx) EVP_MD_CTX_create(ctx)
+#define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy(ctx)
+#endif
+
+scram_session
+*scram_create_session (const char *digest, const char *username, const char *password)
+{
+ scram_session *session;
+ const EVP_MD *md;
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ OpenSSL_add_all_algorithms ();
+#endif
+ md = EVP_get_digestbyname (digest);
+
+ if (md == NULL)
+ {
+ // Unknown message digest
+ return NULL;
+ }
+
+ session = g_new0 (scram_session, 1);
+ session->digest = md;
+ session->digest_size = EVP_MD_size (md);
+ session->username = g_strdup (username);
+ session->password = g_strdup (password);
+ return session;
+}
+
+void
+scram_free_session (scram_session *session)
+{
+ if (session == NULL)
+ {
+ return;
+ }
+
+ g_free (session->username);
+ g_free (session->password);
+ g_free (session->client_nonce_b64);
+ g_free (session->client_first_message_bare);
+ g_free (session->salted_password);
+ g_free (session->auth_message);
+ g_free (session->error);
+
+ g_free (session);
+}
+
+static int
+create_nonce (void *buffer, size_t length)
+{
+ return RAND_bytes (buffer, length);
+}
+
+static int
+create_SHA (scram_session *session, const unsigned char *input, size_t input_len,
+ unsigned char *output, unsigned int *output_len)
+{
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+
+ if (!EVP_DigestInit_ex (md_ctx, session->digest, NULL))
+ {
+ session->error = g_strdup ("Message digest initialization failed");
+ EVP_MD_CTX_free (md_ctx);
+ return SCRAM_ERROR;
+ }
+
+ if (!EVP_DigestUpdate (md_ctx, input, input_len))
+ {
+ session->error = g_strdup ("Message digest update failed");
+ EVP_MD_CTX_free (md_ctx);
+ return SCRAM_ERROR;
+ }
+
+ if (!EVP_DigestFinal_ex (md_ctx, output, output_len))
+ {
+ session->error = g_strdup ("Message digest finalization failed");
+ EVP_MD_CTX_free (md_ctx);
+ return SCRAM_ERROR;
+ }
+
+ EVP_MD_CTX_free (md_ctx);
+ return SCRAM_IN_PROGRESS;
+}
+
+static scram_status
+process_client_first (scram_session *session, char **output, size_t *output_len)
+{
+ char nonce[NONCE_LENGTH];
+
+ if (!create_nonce (nonce, NONCE_LENGTH))
+ {
+ session->error = g_strdup ("Could not create client nonce");
+ return SCRAM_ERROR;
+ }
+
+ session->client_nonce_b64 = g_base64_encode ((guchar *) nonce, NONCE_LENGTH);
+ *output = g_strdup_printf ("n,,n=%s,r=%s", session->username, session->client_nonce_b64);
+ *output_len = strlen (*output);
+ session->client_first_message_bare = g_strdup (*output + 3);
+ session->step++;
+ return SCRAM_IN_PROGRESS;
+}
+
+static scram_status
+process_server_first (scram_session *session, const char *data, char **output,
+ size_t *output_len)
+{
+ char **params, *client_final_message_without_proof, *salt, *server_nonce_b64,
+ *client_proof_b64;
+ unsigned char *client_key, stored_key[EVP_MAX_MD_SIZE], *client_signature, *client_proof;
+ unsigned int i, param_count, iteration_count, client_key_len, stored_key_len;
+ gsize salt_len = 0;
+ size_t client_nonce_len;
+
+ params = g_strsplit (data, ",", -1);
+ param_count = g_strv_length (params);
+
+ if (param_count < 3)
+ {
+ session->error = g_strdup_printf ("Invalid server-first-message: %s", data);
+ g_strfreev (params);
+ return SCRAM_ERROR;
+ }
+
+ server_nonce_b64 = NULL;
+ salt = NULL;
+ iteration_count = 0;
+
+ for (i = 0; i < param_count; i++)
+ {
+ if (!strncmp (params[i], "r=", 2))
+ {
+ server_nonce_b64 = g_strdup (params[i] + 2);
+ }
+ else if (!strncmp (params[i], "s=", 2))
+ {
+ salt = g_strdup (params[i] + 2);
+ }
+ else if (!strncmp (params[i], "i=", 2))
+ {
+ iteration_count = strtoul (params[i] + 2, NULL, 10);
+ }
+ }
+
+ g_strfreev (params);
+
+ if (server_nonce_b64 == NULL || *server_nonce_b64 == '\0' || salt == NULL ||
+ *salt == '\0' || iteration_count == 0)
+ {
+ session->error = g_strdup_printf ("Invalid server-first-message: %s", data);
+ return SCRAM_ERROR;
+ }
+
+ client_nonce_len = strlen (session->client_nonce_b64);
+
+ // The server can append his nonce to the client's nonce
+ if (strlen (server_nonce_b64) < client_nonce_len ||
+ strncmp (server_nonce_b64, session->client_nonce_b64, client_nonce_len))
+ {
+ session->error = g_strdup_printf ("Invalid server nonce: %s", server_nonce_b64);
+ return SCRAM_ERROR;
+ }
+
+ g_base64_decode_inplace ((gchar *) salt, &salt_len);
+
+ // SaltedPassword := Hi(Normalize(password), salt, i)
+ session->salted_password = g_malloc (session->digest_size);
+
+ PKCS5_PBKDF2_HMAC (session->password, strlen (session->password), (unsigned char *) salt,
+ salt_len, iteration_count, session->digest, session->digest_size,
+ session->salted_password);
+
+ // AuthMessage := client-first-message-bare + "," +
+ // server-first-message + "," +
+ // client-final-message-without-proof
+ client_final_message_without_proof = g_strdup_printf ("c=biws,r=%s", server_nonce_b64);
+
+ session->auth_message = g_strdup_printf ("%s,%s,%s", session->client_first_message_bare,
+ data, client_final_message_without_proof);
+
+ // ClientKey := HMAC(SaltedPassword, "Client Key")
+ client_key = g_malloc0 (session->digest_size);
+
+ HMAC (session->digest, session->salted_password, session->digest_size,
+ (unsigned char *) CLIENT_KEY, strlen (CLIENT_KEY), client_key, &client_key_len);
+
+ // StoredKey := H(ClientKey)
+ if (!create_SHA (session, client_key, session->digest_size, stored_key, &stored_key_len))
+ {
+ return SCRAM_ERROR;
+ }
+
+ // ClientSignature := HMAC(StoredKey, AuthMessage)
+ client_signature = g_malloc0 (session->digest_size);
+ HMAC (session->digest, stored_key, stored_key_len, (unsigned char *) session->auth_message,
+ strlen ((char *) session->auth_message), client_signature, NULL);
+
+ // ClientProof := ClientKey XOR ClientSignature
+ client_proof = g_malloc0 (client_key_len);
+
+ for (i = 0; i < client_key_len; i++)
+ {
+ client_proof[i] = client_key[i] ^ client_signature[i];
+ }
+
+ client_proof_b64 = g_base64_encode ((guchar *) client_proof, client_key_len);
+
+ *output = g_strdup_printf ("%s,p=%s", client_final_message_without_proof, client_proof_b64);
+ *output_len = strlen (*output);
+
+ g_free (server_nonce_b64);
+ g_free (client_final_message_without_proof);
+ g_free (salt);
+ g_free (client_signature);
+ g_free (client_proof);
+
+ session->step++;
+ return SCRAM_IN_PROGRESS;
+}
+
+static scram_status
+process_server_final (scram_session *session, const char *data)
+{
+ char *verifier;
+ unsigned char *server_key, *server_signature;
+ unsigned int server_key_len = 0, server_signature_len = 0;
+ gsize verifier_len = 0;
+
+ if (strlen (data) < 3 || (data[0] != 'v' && data[1] != '='))
+ {
+ return SCRAM_ERROR;
+ }
+
+ verifier = g_strdup (data + 2);
+ g_base64_decode_inplace (verifier, &verifier_len);
+
+ // ServerKey := HMAC(SaltedPassword, "Server Key")
+ server_key = g_malloc0 (session->digest_size);
+ HMAC (session->digest, session->salted_password, session->digest_size,
+ (unsigned char *) SERVER_KEY, strlen (SERVER_KEY), server_key, &server_key_len);
+
+ // ServerSignature := HMAC(ServerKey, AuthMessage)
+ server_signature = g_malloc0 (session->digest_size);
+ HMAC (session->digest, server_key, session->digest_size,
+ (unsigned char *) session->auth_message, strlen ((char *) session->auth_message),
+ server_signature, &server_signature_len);
+
+ if (verifier_len == server_signature_len &&
+ memcmp (verifier, server_signature, verifier_len) == 0)
+ {
+ g_free (verifier);
+ g_free (server_key);
+ g_free (server_signature);
+ return SCRAM_SUCCESS;
+ }
+ else
+ {
+ g_free (verifier);
+ g_free (server_key);
+ g_free (server_signature);
+ return SCRAM_ERROR;
+ }
+}
+
+scram_status
+scram_process (scram_session *session, const char *input, char **output, size_t *output_len)
+{
+ scram_status status;
+
+ switch (session->step)
+ {
+ case 0:
+ status = process_client_first (session, output, output_len);
+ break;
+ case 1:
+ status = process_server_first (session, input, output, output_len);
+ break;
+ case 2:
+ status = process_server_final (session, input);
+ break;
+ default:
+ *output = NULL;
+ *output_len = 0;
+ status = SCRAM_ERROR;
+ break;
+ }
+
+ return status;
+}
+
+#endif
\ No newline at end of file
diff --git a/src/common/scram.h b/src/common/scram.h
new file mode 100644
index 00000000..d8f1429c
--- /dev/null
+++ b/src/common/scram.h
@@ -0,0 +1,51 @@
+/* HexChat
+ * Copyright (C) 2023 Patrick Okraku
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+#ifndef HEXCHAT_SCRAM_H
+#define HEXCHAT_SCRAM_H
+
+#include "config.h"
+#ifdef USE_OPENSSL
+#include
+
+typedef struct
+{
+ const EVP_MD *digest;
+ size_t digest_size;
+ char *username;
+ char *password;
+ char *client_nonce_b64;
+ char *client_first_message_bare;
+ unsigned char *salted_password;
+ char *auth_message;
+ char *error;
+ int step;
+} scram_session;
+
+typedef enum
+{
+ SCRAM_ERROR = 0,
+ SCRAM_IN_PROGRESS,
+ SCRAM_SUCCESS
+} scram_status;
+
+scram_session *scram_create_session (const char *digset, const char *username, const char *password);
+void scram_free_session (scram_session *session);
+scram_status scram_process (scram_session *session, const char *input, char **output, size_t *output_len);
+
+#endif
+#endif
\ No newline at end of file
diff --git a/src/common/server.c b/src/common/server.c
index e14da237..97f8425d 100644
--- a/src/common/server.c
+++ b/src/common/server.c
@@ -1765,7 +1765,9 @@ server_set_defaults (server *serv)
g_free (serv->chanmodes);
g_free (serv->nick_prefixes);
g_free (serv->nick_modes);
-
+#ifdef USE_OPENSSL
+ g_clear_pointer (&serv->scram_session, scram_free_session);
+#endif
serv->chantypes = g_strdup ("#&!+");
serv->chanmodes = g_strdup ("beI,k,l");
serv->nick_prefixes = g_strdup ("@%+");
@@ -1937,6 +1939,8 @@ server_free (server *serv)
#ifdef USE_OPENSSL
if (serv->ctx)
_SSL_context_free (serv->ctx);
+
+ g_clear_pointer (&serv->scram_session, scram_free_session);
#endif
fe_server_callback (serv);
diff --git a/src/common/servlist.h b/src/common/servlist.h
index ec885fef..c3d158b2 100644
--- a/src/common/servlist.h
+++ b/src/common/servlist.h
@@ -79,6 +79,9 @@ extern GSList *network_list;
#define LOGIN_CHALLENGEAUTH 8
#define LOGIN_CUSTOM 9
#define LOGIN_SASLEXTERNAL 10
+#define LOGIN_SASL_SCRAM_SHA_1 11
+#define LOGIN_SASL_SCRAM_SHA_256 12
+#define LOGIN_SASL_SCRAM_SHA_512 13
#define CHALLENGEAUTH_ALGO "HMAC-SHA-256"
#define CHALLENGEAUTH_NICK "Q@CServe.quakenet.org"
diff --git a/src/fe-gtk/servlistgui.c b/src/fe-gtk/servlistgui.c
index edcd4609..0e5e108b 100644
--- a/src/fe-gtk/servlistgui.c
+++ b/src/fe-gtk/servlistgui.c
@@ -128,6 +128,9 @@ static int login_types_conf[] =
LOGIN_SASL,
#ifdef USE_OPENSSL
LOGIN_SASLEXTERNAL,
+ LOGIN_SASL_SCRAM_SHA_1,
+ LOGIN_SASL_SCRAM_SHA_256,
+ LOGIN_SASL_SCRAM_SHA_512,
#endif
LOGIN_PASS,
LOGIN_MSG_NICKSERV,
@@ -146,9 +149,12 @@ static int login_types_conf[] =
static const char *login_types[]=
{
"Default",
- "SASL (username + password)",
+ "SASL PLAIN (username + password)",
#ifdef USE_OPENSSL
"SASL EXTERNAL (cert)",
+ "SASL SCRAM-SHA-1",
+ "SASL SCRAM-SHA-256",
+ "SASL SCRAM-SHA-512",
#endif
"Server password (/PASS password)",
"NickServ (/MSG NickServ + password)",