Plan 9 from Bell Labs’s /usr/web/sources/contrib/mospak/tls-1.2/tls-ca-bundle-default.diff

Copyright © 2021 Plan 9 Foundation.
Distributed under the MIT License.
Download the Plan 9 distribution. 


--- sys/src/cmd/hget.c
+++ sys/src/cmd/hget.c
@@ -354,13 +354,19 @@ dohttp(URL *u, URL *px, Range *r, Out *out, long mtime
 
 			memset(&conn, 0, sizeof conn);
 			conn.serverName = u->host;	/* SNI: server requires it */
+			/* Trust anchors for X.509 chain verification.  readcertchain
+			 * returns nil if the bundle is missing or unreadable, and
+			 * tlsClient falls back to the thumbprint-only model. */
+			conn.rootCAchain = readcertchain("/sys/lib/tls/ca.pem");
+			if(conn.rootCAchain == nil)
+				fprint(2, "hget: no CA bundle at /sys/lib/tls/ca.pem; chain validation disabled\n");
 			tfd = tlsClient(fd, &conn);
+			freecertchain(conn.rootCAchain);
 			if(tfd < 0){
 				fprint(2, "tlsClient: %r\n");
 				close(fd);
 				return Error;
 			}
-			/* BUG: check cert here? */
 			if(conn.cert)
 				free(conn.cert);
 			close(fd);
--- sys/src/cmd/webfs/io.c
+++ sys/src/cmd/webfs/io.c
@@ -64,13 +64,19 @@ _iotlsdial(va_list *arg)
 
 	memset(&conn, 0, sizeof conn);
 	conn.serverName = host;	/* SNI: server picks cert by it */
+	/* Trust anchors for X.509 chain verification.  readcertchain returns
+	 * nil if the bundle is missing or unreadable, and tlsClient falls
+	 * back to the thumbprint-only model. */
+	conn.rootCAchain = readcertchain("/sys/lib/tls/ca.pem");
+	if(conn.rootCAchain == nil)
+		fprint(2, "%s: no CA bundle at /sys/lib/tls/ca.pem; chain validation disabled\n", argv0);
 
 	tfd = tlsClient(fd, &conn);
+	freecertchain(conn.rootCAchain);
 	close(fd);
 	if(tfd < 0)
 		fprint(2, "%s: tlsClient: %r\n", argv0);
 	else {
-		/* BUG: check cert here? */
 		if(conn.cert)
 			free(conn.cert);
 	}

Bell Labs OSI certified Powered by Plan 9

(Return to Plan 9 Home Page)

Copyright © 2021 Plan 9 Foundation. All Rights Reserved.
Comments to webmaster@9p.io.