[wiki] [sites] update ii-2.0-tls.diff: add fingerprint support || Jan Klemkow

From: <git_AT_suckless.org>
Date: Mon, 31 Oct 2022 17:29:23 +0100

commit 4a79afd6fea7d80c023f870448b71465942ac97c
Author: Jan Klemkow <j.klemkow_AT_wemelug.de>
Date: Mon Oct 31 17:28:16 2022 +0100

    update ii-2.0-tls.diff: add fingerprint support

diff --git a/tools.suckless.org/ii/patches/tls/ii-2.0-tls.diff b/tools.suckless.org/ii/patches/tls/ii-2.0-tls.diff
index 24fd0974..6e7bcaaa 100644
--- a/tools.suckless.org/ii/patches/tls/ii-2.0-tls.diff
+++ b/tools.suckless.org/ii/patches/tls/ii-2.0-tls.diff
_AT_@ -1,8 +1,8 @@
-commit fbe27f507fa28ffabe1c777285cfafde2b5b6f5a
+commit 6e349ab328266ab6a6beee31db2c7f97921d480f
 Author: Jan Klemkow <j.klemkow_AT_wemelug.de>
-Date: Sun Oct 16 22:10:00 2022 +0200
+Date: Sun Oct 30 22:25:31 2022 +0100
 
- Use libtls to encrypt connections.
+ add tls support
 
 diff --git a/Makefile b/Makefile
 index 28c7781..8c19387 100644
_AT_@ -18,7 +18,7 @@ index 28c7781..8c19387 100644
  # on systems which provide strlcpy(3),
  # remove NEED_STRLCPY from CPPFLAGS and
 diff --git a/ii.1 b/ii.1
-index 59fd798..9f5d93c 100644
+index 59fd798..a51944e 100644
 --- a/ii.1
 +++ b/ii.1
 _AT_@ -3,6 +3,7 @@
_AT_@ -29,7 +29,16 @@ index 59fd798..9f5d93c 100644
  .B -s
  .I host
  .RB [ -p
-_AT_@ -34,6 +35,9 @@ For example if you will join a channel just do echo "/j #channel" > in
+_AT_@ -18,6 +19,8 @@ ii - irc it or irc improved
+ .IR realname ]
+ .RB [ -k
+ .IR env_pass ]
++.RB [ -F
++.IR fingerprint ]
+ .SH DESCRIPTION
+ .B ii
+ is a minimalistic FIFO and filesystem based IRC client.
+_AT_@ -34,6 +37,9 @@ For example if you will join a channel just do echo "/j #channel" > in
  and ii creates a new channel directory with in and out file.
  .SH OPTIONS
  .TP
_AT_@ -39,8 +48,20 @@ index 59fd798..9f5d93c 100644
  .BI -s " host"
  server/host to connect to, for example: irc.freenode.net
  .TP
+_AT_@ -60,6 +66,11 @@ lets you specify an environment variable that contains your IRC password,
+ e.g. IIPASS="foobar" ii -k IIPASS.
+ This is done in order to prevent other users from eavesdropping the server
+ password via the process list.
++.TP
++.BI -F " fingerprint"
++disables certificate and hostname verification.
++Just check the server's certificate fingerprint.
++This is recommended to connection to servers with self signed certificates.
+ .SH DIRECTORIES
+ .TP
+ .B ~/irc
 diff --git a/ii.c b/ii.c
-index c402a87..86ad918 100644
+index c402a87..95819c5 100644
 --- a/ii.c
 +++ b/ii.c
 _AT_@ -20,6 +20,9 @@
_AT_@ -53,16 +74,19 @@ index c402a87..86ad918 100644
  char *argv0;
  
  #include "arg.h"
-_AT_@ -101,7 +104,7 @@ die(const char *fmt, ...)
+_AT_@ -101,8 +104,9 @@ die(const char *fmt, ...)
  static void
  usage(void)
  {
 - die("usage: %s -s host [-p port | -u sockname] [-i ircdir]
"
+- " [-n nickname] [-f fullname] [-k env_pass]
", argv0);
 + die("usage: %s [-t] -s host [-p port | -u sockname] [-i ircdir]
"
- " [-n nickname] [-f fullname] [-k env_pass]
", argv0);
++ " [-n nickname] [-f fullname] [-k env_pass] [-F fingerprint]
",
++ argv0);
  }
  
-_AT_@ -113,11 +116,17 @@ ewritestr(int fd, const char *s)
+ static void
+_AT_@ -113,11 +117,17 @@ ewritestr(int fd, const char *s)
  
          len = strlen(s);
          for (off = 0; off < len; off += w) {
_AT_@ -83,7 +107,7 @@ index c402a87..86ad918 100644
  }
  
  /* creates directories bottom-up, if necessary */
-_AT_@ -686,8 +695,15 @@ read_line(int fd, char *buf, size_t bufsiz)
+_AT_@ -686,8 +696,15 @@ read_line(int fd, char *buf, size_t bufsiz)
          char c = '
          do {
_AT_@ -101,17 +125,19 @@ index c402a87..86ad918 100644
                  buf[i++] = c;
          } while (c != '
' && i < bufsiz);
          buf[i - 1] = '' */
-_AT_@ -799,7 +815,8 @@ main(int argc, char *argv[])
+_AT_@ -798,8 +815,9 @@ main(int argc, char *argv[])
+ struct passwd *spw;
          const char *key = NULL, *fullname = NULL, *host = "";
          const char *uds = NULL, *service = "6667";
- char prefix[PATH_MAX];
+- char prefix[PATH_MAX];
 - int ircfd, r;
++ char prefix[PATH_MAX], *fingerprint = NULL;
 + int r;
 + struct tls_config *tls_config = NULL;
  
          /* use nickname and home dir of user by default */
          if (!(spw = getpwuid(getuid())))
-_AT_@ -827,6 +844,17 @@ main(int argc, char *argv[])
+_AT_@ -827,6 +845,16 @@ main(int argc, char *argv[])
          case 's':
                  host = EARGF(usage());
                  break;
_AT_@ -121,22 +147,32 @@ index c402a87..86ad918 100644
 +
 + if ((tls = tls_client()) == NULL)
 + die("%s: tls_client
", argv0);
-+ if ((tls_config = tls_config_new()) == NULL)
-+ die("%s: tls_config_new
", argv0);
-+ if (tls_configure(tls, tls_config) == -1)
-+ die("%s: tls_configure
", argv0);
++ break;
++ case 'F':
++ fingerprint = EARGF(usage());
 + break;
          case 'u':
                  uds = EARGF(usage());
                  break;
-_AT_@ -843,6 +871,11 @@ main(int argc, char *argv[])
+_AT_@ -843,6 +871,22 @@ main(int argc, char *argv[])
          else
                  ircfd = tcpopen(host, service);
  
++ if (tls && (tls_config = tls_config_new()) == NULL)
++ die("%s: tls_config_new
", argv0);
++ if (tls && fingerprint) {
++ /* Just check cert fingerprint and no CA chain or cert name. */
++ tls_config_insecure_noverifycert(tls_config);
++ tls_config_insecure_noverifyname(tls_config);
++ }
++ if (tls && tls_configure(tls, tls_config) == -1)
++ die("%s: tls_configure
", argv0);
 + if (tls && tls_connect_socket(tls, ircfd, host) == -1)
 + die("%s: tls_connect_socket: %s
", argv0, tls_error(tls));
 + if (tls && tls_handshake(tls) == -1)
 + die("%s: tls_handshake: %s
", argv0, tls_error(tls));
++ if (tls && fingerprint && strcmp(fingerprint, tls_peer_cert_hash(tls)) != 0)
++ die("%s: wrong fingerprint: %s
", argv0, tls_peer_cert_hash(tls));
 +
  #ifdef __OpenBSD__
          /* OpenBSD pledge(2) support */
Received on Mon Oct 31 2022 - 17:29:23 CET

This archive was generated by hypermail 2.3.0 : Mon Oct 31 2022 - 17:36:49 CET