eggheads
Update botnet challenge response from md5 to something better
MD5 is cryptographically broken and unsuitable for further use.
Now we could switch to sha-something, or we could do better and switch to public key auth.
Btw: MD5 challenge was introduced with 260fbe5a2f8af676adf7b6e9115898c339024983 for eggdrop 1.4.0 (1.3.29) released November 9, 1999. If current eggdrop can still link to pre 1.4 bots we must keep cleartext mechanism, else we could remove it.
Eggdrops challenge–response authentication does not mutual authentication, yet ?
We could also use the "not yet implemented" pbkdf2 method to apply key stretching to our challenge–response authentication.
And here another link to more information: https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00 (Yes, eggdrops challenge response is very similar to cram-md5) It sais: It is recommended that application protocol designers and deployers consider the SASL PLAIN [RFC4616] mechanism protected by TLS [RFC5246] and/or the SASL Salted Challenge Response Authentication Mechanism (SCRAM) [SCRAM] as alternatives to CRAM-MD5. We now have SASL and TLS implemented for irc server auth, why not also use it for bot-link auth.
