commit 4a79afd6fea7d80c023f870448b71465942ac97c
Author: Jan Klemkow <[email protected]>
Date: Mon Oct 31 17:28:16 2022 +0100
update ii-2.0-tls.diff: add fingerprint support
diff --git a/tools.suckless.org/ii/patches/tls/ii-2.0-tls.diff
b/tools.suckless.org/ii/patches/tls/ii-2.0-tls.diff
index 24fd0974..6e7bcaaa 100644
--- a/tools.suckless.org/ii/patches/tls/ii-2.0-tls.diff
+++ b/tools.suckless.org/ii/patches/tls/ii-2.0-tls.diff
@@ -1,8 +1,8 @@
-commit fbe27f507fa28ffabe1c777285cfafde2b5b6f5a
+commit 6e349ab328266ab6a6beee31db2c7f97921d480f
Author: Jan Klemkow <[email protected]>
-Date: Sun Oct 16 22:10:00 2022 +0200
+Date: Sun Oct 30 22:25:31 2022 +0100
- Use libtls to encrypt connections.
+ add tls support
diff --git a/Makefile b/Makefile
index 28c7781..8c19387 100644
@@ -18,7 +18,7 @@ index 28c7781..8c19387 100644
# on systems which provide strlcpy(3),
# remove NEED_STRLCPY from CPPFLAGS and
diff --git a/ii.1 b/ii.1
-index 59fd798..9f5d93c 100644
+index 59fd798..a51944e 100644
--- a/ii.1
+++ b/ii.1
@@ -3,6 +3,7 @@
@@ -29,7 +29,16 @@ index 59fd798..9f5d93c 100644
.B -s
.I host
.RB [ -p
-@@ -34,6 +35,9 @@ For example if you will join a channel just do echo "/j
#channel" > in
+@@ -18,6 +19,8 @@ ii - irc it or irc improved
+ .IR realname ]
+ .RB [ -k
+ .IR env_pass ]
++.RB [ -F
++.IR fingerprint ]
+ .SH DESCRIPTION
+ .B ii
+ is a minimalistic FIFO and filesystem based IRC client.
+@@ -34,6 +37,9 @@ For example if you will join a channel just do echo "/j
#channel" > in
and ii creates a new channel directory with in and out file.
.SH OPTIONS
.TP
@@ -39,8 +48,20 @@ index 59fd798..9f5d93c 100644
.BI -s " host"
server/host to connect to, for example: irc.freenode.net
.TP
+@@ -60,6 +66,11 @@ lets you specify an environment variable that contains your
IRC password,
+ e.g. IIPASS="foobar" ii -k IIPASS.
+ This is done in order to prevent other users from eavesdropping the server
+ password via the process list.
++.TP
++.BI -F " fingerprint"
++disables certificate and hostname verification.
++Just check the server's certificate fingerprint.
++This is recommended to connection to servers with self signed certificates.
+ .SH DIRECTORIES
+ .TP
+ .B ~/irc
diff --git a/ii.c b/ii.c
-index c402a87..86ad918 100644
+index c402a87..95819c5 100644
--- a/ii.c
+++ b/ii.c
@@ -20,6 +20,9 @@
@@ -53,16 +74,19 @@ index c402a87..86ad918 100644
char *argv0;
#include "arg.h"
-@@ -101,7 +104,7 @@ die(const char *fmt, ...)
+@@ -101,8 +104,9 @@ die(const char *fmt, ...)
static void
usage(void)
{
- die("usage: %s -s host [-p port | -u sockname] [-i ircdir]
"
+- " [-n nickname] [-f fullname] [-k env_pass]
", argv0);
+ die("usage: %s [-t] -s host [-p port | -u sockname] [-i ircdir]
"
- " [-n nickname] [-f fullname] [-k env_pass]
", argv0);
++ " [-n nickname] [-f fullname] [-k env_pass] [-F fingerprint]
",
++ argv0);
}
-@@ -113,11 +116,17 @@ ewritestr(int fd, const char *s)
+ static void
+@@ -113,11 +117,17 @@ ewritestr(int fd, const char *s)
len = strlen(s);
for (off = 0; off < len; off += w) {
@@ -83,7 +107,7 @@ index c402a87..86ad918 100644
}
/* creates directories bottom-up, if necessary */
-@@ -686,8 +695,15 @@ read_line(int fd, char *buf, size_t bufsiz)
+@@ -686,8 +696,15 @@ read_line(int fd, char *buf, size_t bufsiz)
char c = '
do {
@@ -101,17 +125,19 @@ index c402a87..86ad918 100644
buf[i++] = c;
} while (c != '
' && i < bufsiz);
buf[i - 1] = '' */
-@@ -799,7 +815,8 @@ main(int argc, char *argv[])
+@@ -798,8 +815,9 @@ main(int argc, char *argv[])
+ struct passwd *spw;
const char *key = NULL, *fullname = NULL, *host = "";
const char *uds = NULL, *service = "6667";
- char prefix[PATH_MAX];
+- char prefix[PATH_MAX];
- int ircfd, r;
++ char prefix[PATH_MAX], *fingerprint = NULL;
+ int r;
+ struct tls_config *tls_config = NULL;
/* use nickname and home dir of user by default */
if (!(spw = getpwuid(getuid())))
-@@ -827,6 +844,17 @@ main(int argc, char *argv[])
+@@ -827,6 +845,16 @@ main(int argc, char *argv[])
case 's':
host = EARGF(usage());
break;
@@ -121,22 +147,32 @@ index c402a87..86ad918 100644
+
+ if ((tls = tls_client()) == NULL)
+ die("%s: tls_client
", argv0);
-+ if ((tls_config = tls_config_new()) == NULL)
-+ die("%s: tls_config_new
", argv0);
-+ if (tls_configure(tls, tls_config) == -1)
-+ die("%s: tls_configure
", argv0);
++ break;
++ case 'F':
++ fingerprint = EARGF(usage());
+ break;
case 'u':
uds = EARGF(usage());
break;
-@@ -843,6 +871,11 @@ main(int argc, char *argv[])
+@@ -843,6 +871,22 @@ main(int argc, char *argv[])
else
ircfd = tcpopen(host, service);
++ if (tls && (tls_config = tls_config_new()) == NULL)
++ die("%s: tls_config_new
", argv0);
++ if (tls && fingerprint) {
++ /* Just check cert fingerprint and no CA chain or cert name. */
++ tls_config_insecure_noverifycert(tls_config);
++ tls_config_insecure_noverifyname(tls_config);
++ }
++ if (tls && tls_configure(tls, tls_config) == -1)
++ die("%s: tls_configure
", argv0);
+ if (tls && tls_connect_socket(tls, ircfd, host) == -1)
+ die("%s: tls_connect_socket: %s
", argv0, tls_error(tls));
+ if (tls && tls_handshake(tls) == -1)
+ die("%s: tls_handshake: %s
", argv0, tls_error(tls));
++ if (tls && fingerprint && strcmp(fingerprint, tls_peer_cert_hash(tls))
!= 0)
++ die("%s: wrong fingerprint: %s
", argv0, tls_peer_cert_hash(tls));
+
#ifdef __OpenBSD__
/* OpenBSD pledge(2) support */
