On Sun, Jan 29, 2017 at 10:27:29PM +0100, Josuah Demangeon wrote:
> I am updating the SSL patch for ii for latest commit (8570350).
>
> I attached both the diff for "sites" (sites.diff) and the patch itself
> (ii-ssl-20170129-8570350.diff).
> diff --git a/config.mk b/config.mk
> index b5bc34f..8525a43 100644
> --- a/config.mk
> +++ b/config.mk
> @@ -16,7 +16,7 @@ VERSION = 1.7
>
> # includes and libs
> INCLUDES = -I. -I${INCDIR} -I/usr/include
> -LIBS = -L${LIBDIR} -L/usr/lib -lc
> +LIBS = -L${LIBDIR} -L/usr/lib -lc -lssl -lcrypto
> # uncomment and comment other variables for compiling on Solaris
> #LIBS = -L${LIBDIR} -L/usr/lib -lc -lsocket -lnsl
> #CFLAGS = -g ${INCLUDES} -DVERSION=\"${VERSION}\"
> diff --git a/ii.1 b/ii.1
> index 11e4e2a..d37db70 100644
> --- a/ii.1
> +++ b/ii.1
> @@ -25,6 +25,8 @@ and ii creates a new channel directory with in and out file.
> .IR servername ]
> .RB [ \-p
> .IR port ]
> +.RB [ \-e
> +.IR ssl ]
> .RB [ \-k
> .IR environment variable ]
> .RB [ \-i
> @@ -42,6 +44,9 @@ lets you override the default servername (irc.freenode.net)
> .BI \-p " port"
> lets you override the default port (6667)
> .TP
> +.BI \-e " ssl"
> +lets you connect using ssl encryption. The default ssl port is 6697.
> +.TP
> .BI \-k " environment variable"
> lets you specify an environment variable that contains your IRC password,
> e.g. IIPASS="foobar" ii -k IIPASS.
> This is done in order to prevent other users from eavesdropping the server
> password via the process list.
> diff --git a/ii.c b/ii.c
> index 5d57458..15b5456 100644
> --- a/ii.c
> +++ b/ii.c
> @@ -18,6 +18,9 @@
> #include <ctype.h>
> #include <time.h>
> #include <unistd.h>
> +#include <openssl/rand.h>
> +#include <openssl/ssl.h>
> +#include <openssl/err.h>
>
> #define EXIT_TIMEOUT 2
>
> @@ -26,6 +29,14 @@
> #endif
> #define PING_TIMEOUT 300
> #define SERVER_PORT 6667
> +#define SSL_SERVER_PORT 6697
> +#define WRITE(con, mes, len) (use_ssl ? SSL_write(irc->sslHandle, mes, len)
> : write(con->irc, mes, len))
> +#define READ(fd, buf, size) (from_server && use_ssl ?
> SSL_read(irc->sslHandle, buf, size) : read(fd, buf, size))
> +typedef struct {
> + int irc;
> + SSL *sslHandle;
> + SSL_CTX *sslContext;
> +} conn;
> enum { TOK_NICKSRV = 0, TOK_USER, TOK_CMD, TOK_CHAN, TOK_ARG, TOK_TEXT,
> TOK_LAST };
>
> typedef struct Channel Channel;
> @@ -35,7 +46,8 @@ struct Channel {
> Channel *next;
> };
>
> -static int irc;
> +conn *irc;
> +static int use_ssl;
> static time_t last_response;
> static Channel *channels = NULL;
> static char *host = "irc.freenode.net";
> @@ -48,7 +60,7 @@ static void usage() {
> fputs("ii - irc it - " VERSION "\n"
> "(C)opyright MMV-MMVI Anselm R. Garbe\n"
> "(C)opyright MMV-MMXI Nico Golde\n"
> - "usage: ii [-i <irc dir>] [-s <host>] [-p <port>]\n"
> + "usage: ii [-i <irc dir>] [-s <host>] [-p <port>] [-e ssl]\n"
> " [-n <nick>] [-k <password>] [-f <fullname>]\n",
> stderr);
> exit(EXIT_FAILURE);
> }
> @@ -151,11 +163,12 @@ static void login(char *key, char *fullname) {
> nick, nick, host, fullname ? fullname : nick);
> else snprintf(message, PIPE_BUF, "NICK %s\r\nUSER %s localhost %s
> :%s\r\n",
> nick, nick, host, fullname ? fullname : nick);
> - write(irc, message, strlen(message)); /* login */
> + WRITE(irc, message, strlen(message)); /* login */
> }
>
> -static int tcpopen(unsigned short port) {
> +conn *tcpopen(unsigned short port) {
> int fd;
> + conn *c;
> struct sockaddr_in sin;
> struct hostent *hp = gethostbyname(host);
>
> @@ -175,7 +188,22 @@ static int tcpopen(unsigned short port) {
> perror("ii: cannot connect to host");
> exit(EXIT_FAILURE);
> }
> - return fd;
> + c = malloc(sizeof(conn));
> + c->irc = fd;
> + if(use_ssl) {
> + c->sslHandle = NULL;
> + c->sslContext = NULL;
> + SSL_load_error_strings();
> + SSL_library_init();
> + c->sslContext = SSL_CTX_new(SSLv23_client_method());
> + if(c->sslContext == NULL)
> + ERR_print_errors_fp(stderr);
> + c->sslHandle = SSL_new(c->sslContext);
> + if(!SSL_set_fd(c->sslHandle, c->irc)
> + || (SSL_connect(c->sslHandle) != 1))
> + ERR_print_errors_fp(stderr);
> + }
> + return c;
> }
>
> static size_t tokenize(char **result, size_t reslen, char *str, char delim) {
> @@ -222,7 +250,7 @@ static void proc_channels_privmsg(char *channel, char
> *buf) {
> snprintf(message, PIPE_BUF, "<%s> %s", nick, buf);
> print_out(channel, message);
> snprintf(message, PIPE_BUF, "PRIVMSG %s :%s\r\n", channel, buf);
> - write(irc, message, strlen(message));
> + WRITE(irc, message, strlen(message));
> }
>
> static void proc_channels_input(Channel *c, char *buf) {
> @@ -276,7 +304,7 @@ static void proc_channels_input(Channel *c, char *buf) {
> else
> snprintf(message, PIPE_BUF,
> "PART %s :ii - 500 SLOC are too
> much\r\n", c->name);
> - write(irc, message, strlen(message));
> + WRITE(irc, message, strlen(message));
> close(c->fd);
> /*create_filepath(infile, sizeof(infile), c->name,
> "in");
> unlink(infile); */
> @@ -291,7 +319,7 @@ static void proc_channels_input(Channel *c, char *buf) {
> snprintf(message, PIPE_BUF, "%s\r\n", &buf[1]);
>
> if (message[0] != '\0')
> - write(irc, message, strlen(message));
> + WRITE(irc, message, strlen(message));
> }
>
> static void proc_server_cmd(char *buf) {
> @@ -342,7 +370,7 @@ static void proc_server_cmd(char *buf) {
> return;
> } else if(!strncmp("PING", argv[TOK_CMD], 5)) {
> snprintf(message, PIPE_BUF, "PONG %s\r\n", argv[TOK_TEXT]);
> - write(irc, message, strlen(message));
> + WRITE(irc, message, strlen(message));
> return;
> } else if(!argv[TOK_NICKSRV] || !argv[TOK_USER]) { /* server
> command */
> snprintf(message, PIPE_BUF, "%s%s", argv[TOK_ARG] ?
> argv[TOK_ARG] : "", argv[TOK_TEXT] ? argv[TOK_TEXT] : "");
> @@ -383,11 +411,11 @@ static void proc_server_cmd(char *buf) {
> print_out(argv[TOK_CHAN], message);
> }
>
> -static int read_line(int fd, size_t res_len, char *buf) {
> +static int read_line(int fd, size_t res_len, char *buf, int from_server) {
> size_t i = 0;
> char c = 0;
> do {
> - if(read(fd, &c, sizeof(char)) != sizeof(char))
> + if(READ(fd, &c, sizeof(char)) != sizeof(char))
> return -1;
> buf[i++] = c;
> }
> @@ -398,7 +426,7 @@ static int read_line(int fd, size_t res_len, char *buf) {
>
> static void handle_channels_input(Channel *c) {
> static char buf[PIPE_BUF];
> - if(read_line(c->fd, PIPE_BUF, buf) == -1) {
> + if(read_line(c->fd, PIPE_BUF, buf, 0) == -1) {
> close(c->fd);
> int fd = open_channel(c->name);
> if(fd != -1)
> @@ -412,7 +440,7 @@ static void handle_channels_input(Channel *c) {
>
> static void handle_server_output() {
> static char buf[PIPE_BUF];
> - if(read_line(irc, PIPE_BUF, buf) == -1) {
> + if(read_line(irc->irc, PIPE_BUF, buf, 1) == -1) {
> perror("ii: remote host closed connection");
> exit(EXIT_FAILURE);
> }
> @@ -429,8 +457,8 @@ static void run() {
> snprintf(ping_msg, sizeof(ping_msg), "PING %s\r\n", host);
> for(;;) {
> FD_ZERO(&rd);
> - maxfd = irc;
> - FD_SET(irc, &rd);
> + maxfd = irc->irc;
> + FD_SET(irc->irc, &rd);
> for(c = channels; c; c = c->next) {
> if(maxfd < c->fd)
> maxfd = c->fd;
> @@ -450,10 +478,10 @@ static void run() {
> print_out(NULL, "-!- ii shutting down: ping
> timeout");
> exit(EXIT_TIMEOUT);
> }
> - write(irc, ping_msg, strlen(ping_msg));
> + WRITE(irc, ping_msg, strlen(ping_msg));
> continue;
> }
> - if(FD_ISSET(irc, &rd)) {
> + if(FD_ISSET(irc->irc, &rd)) {
> handle_server_output();
> last_response = time(NULL);
> }
> @@ -487,10 +515,13 @@ int main(int argc, char *argv[]) {
> case 'p': port = strtol(argv[++i], NULL, 10); break;
> case 'n': snprintf(nick,sizeof(nick),"%s", argv[++i]);
> break;
> case 'k': key = getenv(argv[++i]); break;
> + case 'e': use_ssl = 1; ++i; break;
> case 'f': fullname = argv[++i]; break;
> default: usage(); break;
> }
> }
> + if(use_ssl)
> + port = port == SERVER_PORT ? SSL_SERVER_PORT : port;
> irc = tcpopen(port);
>
> #ifdef __OpenBSD__ /* OpenBSD pledge(2) support */
Hey,
Doesn't this miss some things like verify peer and the certificate information?
An alternative could be to use the LibreSSL libtls wrapper library which handles
these things.
--
Kind regards,
Hiltjo
