16 files changed, 560 insertions, 41 deletions

diff --git a/src/common/cfgfiles.c b/src/common/cfgfiles.c
index fdee9f2c..f0799de9 100644
--- a/src/common/cfgfiles.c
+++ b/src/common/cfgfiles.c
@@ -468,6 +468,7 @@ const struct prefs vars[] =
 	{"gui_win_fullscreen", P_OFFINT (hex_gui_win_fullscreen), TYPE_INT},
 	{"gui_win_left", P_OFFINT (hex_gui_win_left), TYPE_INT},
 	{"gui_win_modes", P_OFFINT (hex_gui_win_modes), TYPE_BOOL},
+	{"gui_win_nick", P_OFFINT (hex_gui_win_nick), TYPE_BOOL},
 	{"gui_win_save", P_OFFINT (hex_gui_win_save), TYPE_BOOL},
 	{"gui_win_state", P_OFFINT (hex_gui_win_state), TYPE_INT},
 	{"gui_win_swap", P_OFFINT (hex_gui_win_swap), TYPE_BOOL},
@@ -772,6 +773,7 @@ load_default_config(void)
 	prefs.hex_gui_ulist_count = 1;
 	prefs.hex_gui_ulist_icons = 1;
 	prefs.hex_gui_ulist_style = 1;
+	prefs.hex_gui_win_nick = 1;
 	prefs.hex_gui_win_save = 1;
 	prefs.hex_input_filter_beep = 1;
 	prefs.hex_input_flash_hilight = 1;
diff --git a/src/common/common.vcxproj b/src/common/common.vcxproj
index bc191f43..c91d8cbb 100644
--- a/src/common/common.vcxproj
+++ b/src/common/common.vcxproj
@@ -36,6 +36,7 @@
     <ClInclude Include="server.h" />

     <ClInclude Include="servlist.h" />

     <ClInclude Include="ssl.h" />

+    <ClInclude Include="scram.h" />

     <ClInclude Include="sysinfo\sysinfo.h" />

     <ClInclude Include="text.h" />

     <ClInclude Include="$(HexChatLib)textenums.h" />

@@ -69,6 +70,7 @@
     <ClCompile Include="server.c" />

     <ClCompile Include="servlist.c" />

     <ClCompile Include="ssl.c" />

+    <ClCompile Include="scram.c" />

     <ClCompile Include="sysinfo\win32\backend.c" />

     <ClCompile Include="text.c" />

     <ClCompile Include="tree.c" />

diff --git a/src/common/dbus/dbus-client.c b/src/common/dbus/dbus-client.c
index 8b40dd24..e70a49a9 100644
--- a/src/common/dbus/dbus-client.c
+++ b/src/common/dbus/dbus-client.c
@@ -67,7 +67,7 @@ hexchat_remote (void)
 	gboolean hexchat_running;
 	GError *error = NULL;
 	char *command = NULL;
-	int i;
+	guint i;
 
 	/* if there is nothing to do, return now. */
 	if (!arg_existing || !(arg_url || arg_urls || arg_command)) {
diff --git a/src/common/hexchat.h b/src/common/hexchat.h
index 470dd4ad..5ead96d1 100644
--- a/src/common/hexchat.h
+++ b/src/common/hexchat.h
@@ -41,6 +41,7 @@
 
 #ifdef USE_OPENSSL
 #include <openssl/ssl.h>		  /* SSL_() */
+#include "scram.h"
 #endif
 
 #ifdef __EMX__						  /* for o/s 2 */
@@ -150,6 +151,7 @@ struct hexchatprefs
 	unsigned int hex_gui_ulist_style;
 	unsigned int hex_gui_usermenu;
 	unsigned int hex_gui_win_modes;
+	unsigned int hex_gui_win_nick;
 	unsigned int hex_gui_win_save;
 	unsigned int hex_gui_win_swap;
 	unsigned int hex_gui_win_ucount;
@@ -429,6 +431,9 @@ typedef struct session
 /* SASL Mechanisms */
 #define MECH_PLAIN 0
 #define MECH_EXTERNAL 1
+#define MECH_SCRAM_SHA_1 2
+#define MECH_SCRAM_SHA_256 3
+#define MECH_SCRAM_SHA_512 4
 
 typedef struct server
 {
@@ -584,6 +589,7 @@ typedef struct server
 #ifdef USE_OPENSSL
 	unsigned int use_ssl:1;				  /* is server SSL capable? */
 	unsigned int accept_invalid_cert:1;/* ignore result of server's cert. verify */
+	scram_session *scram_session; /* session for SASL SCRAM authentication */
 #endif
 } server;
 
diff --git a/src/common/inbound.c b/src/common/inbound.c
index a591dc48..fdee2ecc 100644
--- a/src/common/inbound.c
+++ b/src/common/inbound.c
@@ -1648,7 +1648,10 @@ inbound_identified (server *serv)	/* 'MODE +e MYSELF' on freenode */
 static const char *sasl_mechanisms[] =
 {
 	"PLAIN",
-	"EXTERNAL"
+	"EXTERNAL",
+	"SCRAM-SHA-1",
+	"SCRAM-SHA-256",
+	"SCRAM-SHA-512"
 };
 
 static void
@@ -1689,6 +1692,12 @@ inbound_toggle_caps (server *serv, const char *extensions_str, gboolean enable)
 #ifdef USE_OPENSSL
 				if (serv->loginmethod == LOGIN_SASLEXTERNAL)
 					serv->sasl_mech = MECH_EXTERNAL;
+				else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_1)
+					serv->sasl_mech = MECH_SCRAM_SHA_1;
+				else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_256)
+					serv->sasl_mech = MECH_SCRAM_SHA_256;
+				else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_512)
+					serv->sasl_mech = MECH_SCRAM_SHA_512;
 #endif
 				/* Mechanism either defaulted to PLAIN or server gave us list */
 				tcp_sendf (serv, "AUTHENTICATE %s\r\n", sasl_mechanisms[serv->sasl_mech]);
@@ -1766,6 +1775,30 @@ get_supported_mech (server *serv, const char *list)
 				break;
 			}
 		}
+		else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_1)
+		{
+			if (!strcmp(mechs[i], "SCRAM-SHA-1"))
+			{
+				ret = MECH_SCRAM_SHA_1;
+				break;
+			}
+		}
+		else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_256)
+		{
+			if (!strcmp(mechs[i], "SCRAM-SHA-256"))
+			{
+				ret = MECH_SCRAM_SHA_256;
+				break;
+			}
+		}
+		else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_512)
+		{
+			if (!strcmp(mechs[i], "SCRAM-SHA-512"))
+			{
+				ret = MECH_SCRAM_SHA_512;
+				break;
+			}
+        }
 		else
 #endif
 		if (!strcmp (mechs[i], "PLAIN"))
@@ -1821,7 +1854,11 @@ inbound_cap_ls (server *serv, char *nick, char *extensions_str,
 
 		/* if the SASL password is set AND auth mode is set to SASL, request SASL auth */
 		if (!g_strcmp0 (extension, "sasl") &&
-			((serv->loginmethod == LOGIN_SASL && strlen (serv->password) != 0)
+			(((serv->loginmethod == LOGIN_SASL
+				|| serv->loginmethod == LOGIN_SASL_SCRAM_SHA_1
+				|| serv->loginmethod == LOGIN_SASL_SCRAM_SHA_256
+				|| serv->loginmethod == LOGIN_SASL_SCRAM_SHA_512)
+					&& strlen (serv->password) != 0)
 				|| serv->loginmethod == LOGIN_SASLEXTERNAL))
 		{
 			if (value)
@@ -1901,11 +1938,103 @@ inbound_cap_list (server *serv, char *nick, char *extensions,
 								  NULL, NULL, 0, tags_data->timestamp);
 }
 
+static void
+plain_authenticate (server *serv, char *user, char *password)
+{
+	char *pass = encode_sasl_pass_plain (user, password);
+
+	if (pass == NULL)
+	{
+		/* something went wrong abort */
+		tcp_sendf (serv, "AUTHENTICATE *\r\n");
+		return;
+	}
+
+	/* long SASL passwords must be split into 400-byte chunks
+	   https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command */
+	size_t pass_len = strlen (pass);
+	if (pass_len <= 400)
+		tcp_sendf (serv, "AUTHENTICATE %s\r\n", pass);
+	else
+	{
+		size_t sent = 0;
+		while (sent < pass_len)
+		{
+			char *pass_chunk = g_strndup (pass + sent, 400);
+			tcp_sendf (serv, "AUTHENTICATE %s\r\n", pass_chunk);
+			sent += 400;
+			g_free (pass_chunk);
+		}
+	}
+	if (pass_len % 400 == 0)
+		tcp_sendf (serv, "AUTHENTICATE +\r\n");
+}
+
+#ifdef USE_OPENSSL
+/*
+ * Sends AUTHENTICATE messages to log in via SCRAM.
+ */
+static void
+scram_authenticate (server *serv, const char *data, const char *digest,
+					const char *user, const char *password)
+{
+	char *encoded, *decoded, *output;
+	scram_status status;
+	size_t output_len;
+	gsize decoded_len;
+
+	if (serv->scram_session == NULL)
+	{
+		serv->scram_session = scram_session_create (digest, user, password);
+
+		if (serv->scram_session == NULL)
+		{
+			PrintTextf (serv->server_session, _("Could not create SCRAM session with digest %s"), digest);
+			g_warning ("Could not create SCRAM session with digest %s", digest);
+			tcp_sendf (serv, "AUTHENTICATE *\r\n");
+			return;
+		}
+	}
+
+	decoded = g_base64_decode (data, &decoded_len);
+	status = scram_process (serv->scram_session, decoded, &output, &output_len);
+	g_free (decoded);
+
+	if (status == SCRAM_IN_PROGRESS)
+	{
+		// Authentication is still in progress
+		encoded = g_base64_encode ((guchar *) output, output_len);
+		tcp_sendf (serv, "AUTHENTICATE %s\r\n", encoded);
+		g_free (encoded);
+		g_free (output);
+	}
+	else if (status == SCRAM_SUCCESS)
+	{
+		// Authentication succeeded
+		tcp_sendf (serv, "AUTHENTICATE +\r\n");
+		g_clear_pointer (&serv->scram_session, scram_session_free);
+	}
+	else if (status == SCRAM_ERROR)
+	{
+		// Authentication failed
+		tcp_sendf (serv, "AUTHENTICATE *\r\n");
+
+		if (serv->scram_session->error != NULL)
+		{
+			PrintTextf (serv->server_session, _("SASL SCRAM authentication failed: %s"), serv->scram_session->error);
+			g_info ("SASL SCRAM authentication failed: %s", serv->scram_session->error);
+		}
+
+		g_clear_pointer (&serv->scram_session, scram_session_free);
+	}
+}
+#endif
+
 void
 inbound_sasl_authenticate (server *serv, char *data)
 {
 		ircnet *net = (ircnet*)serv->network;
-		char *user, *pass = NULL;
+		char *user;
 		const char *mech = sasl_mechanisms[serv->sasl_mech];
 
 		/* Got a list of supported mechanisms from outdated inspircd
@@ -1921,43 +2050,24 @@ inbound_sasl_authenticate (server *serv, char *data)
 		switch (serv->sasl_mech)
 		{
 		case MECH_PLAIN:
-			pass = encode_sasl_pass_plain (user, serv->password);
+			plain_authenticate(serv, user, serv->password);
 			break;
 #ifdef USE_OPENSSL
 		case MECH_EXTERNAL:
-			pass = g_strdup ("+");
+			tcp_sendf (serv, "AUTHENTICATE +\r\n");
 			break;
-#endif
-		}
-
-		if (pass == NULL)
-		{
-			/* something went wrong abort */
-			tcp_sendf (serv, "AUTHENTICATE *\r\n");
+		case MECH_SCRAM_SHA_1:
+			scram_authenticate(serv, data, "SHA1", user, serv->password);
 			return;
+		case MECH_SCRAM_SHA_256:
+			scram_authenticate(serv, data, "SHA256", user, serv->password);
+			return;
+		case MECH_SCRAM_SHA_512:
+			scram_authenticate(serv, data, "SHA512", user, serv->password);
+			return;
+#endif
 		}
 
-		/* long SASL passwords must be split into 400-byte chunks
-		   https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command */
-		size_t pass_len = strlen (pass);
-		if (pass_len <= 400)
-			tcp_sendf (serv, "AUTHENTICATE %s\r\n", pass);
-		else
-		{
-			size_t sent = 0;
-			while (sent < pass_len)
-			{
-				char *pass_chunk = g_strndup (pass + sent, 400);
-				tcp_sendf (serv, "AUTHENTICATE %s\r\n", pass_chunk);
-				sent += 400;
-				g_free (pass_chunk);
-			}
-		}
-		if (pass_len % 400 == 0)
-			tcp_sendf (serv, "AUTHENTICATE +\r\n");
-		g_free (pass);
-
-		
 		EMIT_SIGNAL_TIMESTAMP (XP_TE_SASLAUTH, serv->server_session, user, (char*)mech,
 								NULL,	NULL,	0,	0);
 }
@@ -1965,6 +2075,9 @@ inbound_sasl_authenticate (server *serv, char *data)
 void
 inbound_sasl_error (server *serv)
 {
+#ifdef USE_OPENSSL
+    g_clear_pointer (&serv->scram_session, scram_session_free);
+#endif
 	/* Just abort, not much we can do */
 	tcp_sendf (serv, "AUTHENTICATE *\r\n");
 }
diff --git a/src/common/meson.build b/src/common/meson.build
index 84e2fca3..35db2c27 100644
--- a/src/common/meson.build
+++ b/src/common/meson.build
@@ -15,6 +15,7 @@ common_sources = [
   'plugin-identd.c',
   'plugin-timer.c',
   'proto-irc.c',
+  'scram.c',
   'server.c',
   'servlist.c',
 	'text.c',
diff --git a/src/common/modes.c b/src/common/modes.c
index d8fd75aa..1ff309bd 100644
--- a/src/common/modes.c
+++ b/src/common/modes.c
@@ -680,7 +680,7 @@ handle_mode (server * serv, char *word[], char *word_eol[],
 	int len;
 	size_t arg;
 	size_t i, num_args;
-	int num_modes;
+	size_t num_modes;
 	size_t offset = 3;
 	int all_modes_have_args = FALSE;
 	int using_front_tab = FALSE;
diff --git a/src/common/outbound.c b/src/common/outbound.c
index b9f88196..b8153502 100644
--- a/src/common/outbound.c
+++ b/src/common/outbound.c
@@ -468,7 +468,7 @@ create_mask (session * sess, char *mask, char *mode, char *typestr, int deop)
 			type = prefs.hex_irc_ban_type;
 
 		buf[0] = 0;
-		if (inet_addr (fullhost) != -1)	/* "fullhost" is really a IP number */
+		if (inet_addr (fullhost) != (guint32) -1)	/* "fullhost" is really a IP number */
 		{
 			lastdot = strrchr (fullhost, '.');
 			if (!lastdot)
@@ -3458,6 +3458,8 @@ cmd_server (struct session *sess, char *tbuf, char *word[], char *word_eol[])
 #ifdef USE_OPENSSL
 	int use_ssl = TRUE;
 	int use_ssl_noverify = FALSE;
+#else
+	int use_ssl = FALSE;
 #endif
 	int is_url = TRUE;
 	server *serv = sess->server;
diff --git a/src/common/plugin.c b/src/common/plugin.c
index 5524e984..f4691d73 100644
--- a/src/common/plugin.c
+++ b/src/common/plugin.c
@@ -491,7 +491,6 @@ plugin_auto_load (session *sess)
 	for_files (lib_dir, "hcfishlim.dll", plugin_auto_load_cb);
 	for_files(lib_dir, "hclua.dll", plugin_auto_load_cb);
 	for_files (lib_dir, "hcperl.dll", plugin_auto_load_cb);
-	for_files (lib_dir, "hcpython2.dll", plugin_auto_load_cb);
 	for_files (lib_dir, "hcpython3.dll", plugin_auto_load_cb);
 	for_files (lib_dir, "hcupd.dll", plugin_auto_load_cb);
 	for_files (lib_dir, "hcwinamp.dll", plugin_auto_load_cb);
diff --git a/src/common/scram.c b/src/common/scram.c
new file mode 100644
index 00000000..b39199de
--- /dev/null
+++ b/src/common/scram.c
@@ -0,0 +1,333 @@
+/* HexChat
+ * Copyright (C) 2023 Patrick Okraku
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#include "hexchat.h"
+
+#ifdef USE_OPENSSL
+
+#include "scram.h"
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+
+#define NONCE_LENGTH 18
+#define CLIENT_KEY "Client Key"
+#define SERVER_KEY "Server Key"
+
+// EVP_MD_CTX_create() and EVP_MD_CTX_destroy() were renamed in OpenSSL 1.1.0
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#define EVP_MD_CTX_new(ctx) EVP_MD_CTX_create(ctx)
+#define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy(ctx)
+#endif
+
+scram_session
+*scram_session_create (const char *digest, const char *username, const char *password)
+{
+	scram_session *session;
+	const EVP_MD *md;
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+	OpenSSL_add_all_algorithms ();
+#endif
+	md = EVP_get_digestbyname (digest);
+
+	if (md == NULL)
+	{
+		// Unknown message digest
+		return NULL;
+	}
+
+	session = g_new0 (scram_session, 1);
+	session->digest = md;
+	session->digest_size = EVP_MD_size (md);
+	session->username = g_strdup (username);
+	session->password = g_strdup (password);
+	return session;
+}
+
+void
+scram_session_free (scram_session *session)
+{
+	if (session == NULL)
+	{
+		return;
+	}
+
+	g_free (session->username);
+	g_free (session->password);
+	g_free (session->client_nonce_b64);
+	g_free (session->client_first_message_bare);
+	g_free (session->salted_password);
+	g_free (session->auth_message);
+	g_free (session->error);
+
+	g_free (session);
+}
+
+static int
+create_nonce (void *buffer, size_t length)
+{
+	return RAND_bytes (buffer, length);
+}
+
+static int
+create_SHA (scram_session *session, const unsigned char *input, size_t input_len,
+			unsigned char *output, unsigned int *output_len)
+{
+	EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+
+	if (!EVP_DigestInit_ex (md_ctx, session->digest, NULL))
+	{
+		session->error = g_strdup ("Message digest initialization failed");
+		EVP_MD_CTX_free (md_ctx);
+		return SCRAM_ERROR;
+	}
+
+	if (!EVP_DigestUpdate (md_ctx, input, input_len))
+	{
+		session->error = g_strdup ("Message digest update failed");
+		EVP_MD_CTX_free (md_ctx);
+		return SCRAM_ERROR;
+	}
+
+	if (!EVP_DigestFinal_ex (md_ctx, output, output_len))
+	{
+		session->error = g_strdup ("Message digest finalization failed");
+		EVP_MD_CTX_free (md_ctx);
+		return SCRAM_ERROR;
+	}
+
+	EVP_MD_CTX_free (md_ctx);
+	return SCRAM_IN_PROGRESS;
+}
+
+static scram_status
+process_client_first (scram_session *session, char **output, size_t *output_len)
+{
+	char nonce[NONCE_LENGTH];
+
+	if (!create_nonce (nonce, NONCE_LENGTH))
+	{
+		session->error = g_strdup ("Could not create client nonce");
+		return SCRAM_ERROR;
+	}
+
+	session->client_nonce_b64 = g_base64_encode ((guchar *) nonce, NONCE_LENGTH);
+	*output = g_strdup_printf ("n,,n=%s,r=%s", session->username, session->client_nonce_b64);
+	*output_len = strlen (*output);
+	session->client_first_message_bare = g_strdup (*output + 3);
+	session->step++;
+	return SCRAM_IN_PROGRESS;
+}
+
+static scram_status
+process_server_first (scram_session *session, const char *data, char **output,
+					  size_t *output_len)
+{
+	char **params, *client_final_message_without_proof, *salt, *server_nonce_b64,
+			*client_proof_b64;
+	unsigned char *client_key, stored_key[EVP_MAX_MD_SIZE], *client_signature, *client_proof;
+	unsigned int i, param_count, iteration_count, client_key_len, stored_key_len;
+	gsize salt_len = 0;
+	size_t client_nonce_len;
+
+	params = g_strsplit (data, ",", -1);
+	param_count = g_strv_length (params);
+
+	if (param_count < 3)
+	{
+		session->error = g_strdup_printf ("Invalid server-first-message: %s", data);
+		g_strfreev (params);
+		return SCRAM_ERROR;
+	}
+
+	server_nonce_b64 = NULL;
+	salt = NULL;
+	iteration_count = 0;
+
+	for (i = 0; i < param_count; i++)
+	{
+		if (!strncmp (params[i], "r=", 2))
+		{
+			g_free (server_nonce_b64);
+			server_nonce_b64 = g_strdup (params[i] + 2);
+		}
+		else if (!strncmp (params[i], "s=", 2))
+		{
+			g_free (salt);
+			salt = g_strdup (params[i] + 2);
+		}
+		else if (!strncmp (params[i], "i=", 2))
+		{
+			iteration_count = strtoul (params[i] + 2, NULL, 10);
+		}
+	}
+
+	g_strfreev (params);
+
+	if (server_nonce_b64 == NULL || *server_nonce_b64 == '\0' || salt == NULL ||
+		*salt == '\0' || iteration_count == 0)
+	{
+		session->error = g_strdup_printf ("Invalid server-first-message: %s", data);
+		g_free (server_nonce_b64);
+		g_free (salt);
+		return SCRAM_ERROR;
+	}
+
+	client_nonce_len = strlen (session->client_nonce_b64);
+
+	// The server can append his nonce to the client's nonce
+	if (strlen (server_nonce_b64) < client_nonce_len ||
+		strncmp (server_nonce_b64, session->client_nonce_b64, client_nonce_len))
+	{
+		session->error = g_strdup_printf ("Invalid server nonce: %s", server_nonce_b64);
+		return SCRAM_ERROR;
+	}
+
+	g_base64_decode_inplace ((gchar *) salt, &salt_len);
+
+	// SaltedPassword := Hi(Normalize(password), salt, i)
+	session->salted_password = g_malloc (session->digest_size);
+
+	PKCS5_PBKDF2_HMAC (session->password, strlen (session->password), (unsigned char *) salt,
+					   salt_len, iteration_count, session->digest, session->digest_size,
+					   session->salted_password);
+
+	// AuthMessage := client-first-message-bare + "," +
+	//                server-first-message + "," +
+	//                client-final-message-without-proof
+	client_final_message_without_proof = g_strdup_printf ("c=biws,r=%s", server_nonce_b64);
+
+	session->auth_message = g_strdup_printf ("%s,%s,%s", session->client_first_message_bare,
+											 data, client_final_message_without_proof);
+
+	// ClientKey := HMAC(SaltedPassword, "Client Key")
+	client_key = g_malloc0 (session->digest_size);
+
+	HMAC (session->digest, session->salted_password, session->digest_size,
+		  (unsigned char *) CLIENT_KEY, strlen (CLIENT_KEY), client_key, &client_key_len);
+
+	// StoredKey := H(ClientKey)
+	if (!create_SHA (session, client_key, session->digest_size, stored_key, &stored_key_len))
+	{
+		g_free (client_final_message_without_proof);
+		g_free (server_nonce_b64);
+		g_free (salt);
+		g_free (client_key);
+		return SCRAM_ERROR;
+	}
+
+	// ClientSignature := HMAC(StoredKey, AuthMessage)
+	client_signature = g_malloc0 (session->digest_size);
+	HMAC (session->digest, stored_key, stored_key_len, (unsigned char *) session->auth_message,
+		  strlen ((char *) session->auth_message), client_signature, NULL);
+
+	// ClientProof := ClientKey XOR ClientSignature
+	client_proof = g_malloc0 (client_key_len);
+
+	for (i = 0; i < client_key_len; i++)
+	{
+		client_proof[i] = client_key[i] ^ client_signature[i];
+	}
+
+	client_proof_b64 = g_base64_encode ((guchar *) client_proof, client_key_len);
+
+	*output = g_strdup_printf ("%s,p=%s", client_final_message_without_proof, client_proof_b64);
+	*output_len = strlen (*output);
+
+	g_free (server_nonce_b64);
+	g_free (salt);
+	g_free (client_final_message_without_proof);
+	g_free (client_key);
+	g_free (client_signature);
+	g_free (client_proof);
+	g_free (client_proof_b64);
+
+	session->step++;
+	return SCRAM_IN_PROGRESS;
+}
+
+static scram_status
+process_server_final (scram_session *session, const char *data)
+{
+	char *verifier;
+	unsigned char *server_key, *server_signature;
+	unsigned int server_key_len = 0, server_signature_len = 0;
+	gsize verifier_len = 0;
+
+	if (strlen (data) < 3 || (data[0] != 'v' && data[1] != '='))
+	{
+		return SCRAM_ERROR;
+	}
+
+	verifier = g_strdup (data + 2);
+	g_base64_decode_inplace (verifier, &verifier_len);
+
+	// ServerKey := HMAC(SaltedPassword, "Server Key")
+	server_key = g_malloc0 (session->digest_size);
+	HMAC (session->digest, session->salted_password, session->digest_size,
+		  (unsigned char *) SERVER_KEY, strlen (SERVER_KEY), server_key, &server_key_len);
+
+	// ServerSignature := HMAC(ServerKey, AuthMessage)
+	server_signature = g_malloc0 (session->digest_size);
+	HMAC (session->digest, server_key, session->digest_size,
+		  (unsigned char *) session->auth_message, strlen ((char *) session->auth_message),
+		  server_signature, &server_signature_len);
+
+	if (verifier_len == server_signature_len &&
+		memcmp (verifier, server_signature, verifier_len) == 0)
+	{
+		g_free (verifier);
+		g_free (server_key);
+		g_free (server_signature);
+		return SCRAM_SUCCESS;
+	}
+	else
+	{
+		g_free (verifier);
+		g_free (server_key);
+		g_free (server_signature);
+		return SCRAM_ERROR;
+	}
+}
+
+scram_status
+scram_process (scram_session *session, const char *input, char **output, size_t *output_len)
+{
+	scram_status status;
+
+	switch (session->step)
+	{
+		case 0:
+			status = process_client_first (session, output, output_len);
+			break;
+		case 1:
+			status = process_server_first (session, input, output, output_len);
+			break;
+		case 2:
+			status = process_server_final (session, input);
+			break;
+		default:
+			*output = NULL;
+			*output_len = 0;
+			status = SCRAM_ERROR;
+			break;
+	}
+
+	return status;
+}
+
+#endif
\ No newline at end of file
diff --git a/src/common/scram.h b/src/common/scram.h
new file mode 100644
index 00000000..ffe22037
--- /dev/null
+++ b/src/common/scram.h
@@ -0,0 +1,51 @@
+/* HexChat
+ * Copyright (C) 2023 Patrick Okraku
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+#ifndef HEXCHAT_SCRAM_H
+#define HEXCHAT_SCRAM_H
+
+#include "config.h"
+#ifdef USE_OPENSSL
+#include <openssl/evp.h>
+
+typedef struct
+{
+	const EVP_MD *digest;
+	size_t digest_size;
+	char *username;
+	char *password;
+	char *client_nonce_b64;
+	char *client_first_message_bare;
+	unsigned char *salted_password;
+	char *auth_message;
+	char *error;
+	int step;
+} scram_session;
+
+typedef enum
+{
+	SCRAM_ERROR = 0,
+	SCRAM_IN_PROGRESS,
+	SCRAM_SUCCESS
+} scram_status;
+
+scram_session *scram_session_create (const char *digset, const char *username, const char *password);
+void scram_session_free (scram_session *session);
+scram_status scram_process (scram_session *session, const char *input, char **output, size_t *output_len);
+
+#endif
+#endif
\ No newline at end of file
diff --git a/src/common/server.c b/src/common/server.c
index e14da237..c78ce900 100644
--- a/src/common/server.c
+++ b/src/common/server.c
@@ -1765,7 +1765,9 @@ server_set_defaults (server *serv)
 	g_free (serv->chanmodes);
 	g_free (serv->nick_prefixes);
 	g_free (serv->nick_modes);
-
+#ifdef USE_OPENSSL
+        g_clear_pointer (&serv->scram_session, scram_session_free);
+#endif
 	serv->chantypes = g_strdup ("#&!+");
 	serv->chanmodes = g_strdup ("beI,k,l");
 	serv->nick_prefixes = g_strdup ("@%+");
@@ -1937,6 +1939,8 @@ server_free (server *serv)
 #ifdef USE_OPENSSL
 	if (serv->ctx)
 		_SSL_context_free (serv->ctx);
+
+        g_clear_pointer (&serv->scram_session, scram_session_free);
 #endif
 
 	fe_server_callback (serv);
diff --git a/src/common/servlist.c b/src/common/servlist.c
index 771d7813..1f29bb32 100644
--- a/src/common/servlist.c
+++ b/src/common/servlist.c
@@ -305,6 +305,9 @@ static const struct defaultserver def[] =
 	{"Techtronix",	0, 0, 0, LOGIN_SASL, 0, TRUE},
 	{0,			"irc.techtronix.net"},
 	
+	{"TechNet", 0, 0, 0, LOGIN_SASL, 0, TRUE},
+	{0,			"irc.technet.chat"},
+	
 	{"tilde.chat", 0, 0, 0, LOGIN_SASL, 0, TRUE},
 	{0,			"irc.tilde.chat"},
 
@@ -323,7 +326,7 @@ static const struct defaultserver def[] =
 #endif	
 
 	{"UnderNet", 0, 0, 0, LOGIN_CUSTOM, "MSG x@channels.undernet.org login %u %p"},
-	{0,			"us.undernet.org"},
+	{0,			"irc.undernet.org"},
 
 	{"Xertion", 0, 0, 0, LOGIN_SASL, 0, TRUE},
 	{0,			"irc.xertion.org"},
diff --git a/src/common/servlist.h b/src/common/servlist.h
index ec885fef..c3d158b2 100644
--- a/src/common/servlist.h
+++ b/src/common/servlist.h
@@ -79,6 +79,9 @@ extern GSList *network_list;
 #define LOGIN_CHALLENGEAUTH		8
 #define LOGIN_CUSTOM			9
 #define LOGIN_SASLEXTERNAL		10
+#define LOGIN_SASL_SCRAM_SHA_1	11
+#define LOGIN_SASL_SCRAM_SHA_256	12
+#define LOGIN_SASL_SCRAM_SHA_512	13
 
 #define CHALLENGEAUTH_ALGO		"HMAC-SHA-256"
 #define CHALLENGEAUTH_NICK		"Q@CServe.quakenet.org"
diff --git a/src/common/url.c b/src/common/url.c
index 6a1d09e8..ae85ae44 100644
--- a/src/common/url.c
+++ b/src/common/url.c
@@ -331,7 +331,7 @@ url_check_line (char *buf)
 	GRegex *re(void);
 	GMatchInfo *gmi;
 	char *po = buf;
-	int i;
+	size_t i;
 
 	/* Skip over message prefix */
 	if (*po == ':')
diff --git a/src/common/util.c b/src/common/util.c
index f06074fc..bd920cae 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -988,7 +988,7 @@ void
 country_search (char *pattern, void *ud, void (*print)(void *, char *, ...))
 {
 	const domain_t *dom;
-	int i;
+	size_t i;
 
 	for (i = 0; i < sizeof (domain) / sizeof (domain_t); i++)
 	{