shithub: rd

--- a/mkfile

+++ b/mkfile

@@ -1,4 +1,6 @@

 </$objtype/mkfile

+<|opt.rc

 #<$PLAN9/src/mkhdr

 TARG=rd

@@ -24,11 +26,11 @@

 	msg.$O\

 	rd.$O\

 	rpc.$O\

-	tls.$O\

 	utf16.$O\

 	vchan.$O\

 	wsys.$O\

 	x224.$O\

+	$TLSFILE.$O\

 THREADOFILES=${OFILES:rd.$O=rd-thread.$O}

 CLEANFILES=$O.thread $O.test

--- /dev/null

+++ b/opt.rc

@@ -1,0 +1,7 @@

+#!/bin/rc

+# 9front differs in initThumbprints signature/usage

+if(~ `{grep initThumbprints /sys/include/libsec.h | wc -w} 7)

+	echo 'TLSFILE=tls9f'

+if not

+	echo 'TLSFILE=tls'

--- a/tls.c

+++ b/tls.c

@@ -17,12 +17,12 @@

 		return 0;

 	sha1(cert, certlen, digest, nil);

-	table = initThumbprints("/sys/lib/tls/rdp", "/sys/lib/tls/rdp.exclude", "x224");

-	if(!table || !okThumbprint(digest, SHA1dlen, table)){

+	table = initThumbprints("/sys/lib/tls/rdp", "/sys/lib/tls/rdp.exclude");

+	if(!table || !okThumbprint(digest, table)){

 		werrstr("server certificate not recognized");

 		fprint(2, "verify server certificate %.*H \n", SHA1dlen, digest);

 		fprint(2, "add thumbprint after verification\n");

-		fprint(2, "\techo 'x224 sha1=%.*H' >> %q\n", SHA1dlen, digest, "/sys/lib/tls/rdp");

+		fprint(2, "\techo 'x509 sha1=%.*H' >> %q\n", SHA1dlen, digest, "/sys/lib/tls/rdp");

 		return 0;

 	freeThumbprints(table);

--- /dev/null

+++ b/tls9f.c

@@ -1,0 +1,56 @@

+#include <u.h>

+#include <libc.h>

+#include <mp.h>

+#include <libsec.h>

+#include "dat.h"

+#include "fns.h"

+int

+istrusted(uchar* cert, int certlen)

+{

+	uchar digest[SHA1dlen];

+	Thumbprint *table;

+	fmtinstall('H', encodefmt);

+	if(cert==nil || certlen <= 0) {

+		werrstr("server did not provide TLS certificate");

+		return 0;

+	}

+	sha1(cert, certlen, digest, nil);

+	table = initThumbprints("/sys/lib/tls/rdp", "/sys/lib/tls/rdp.exclude", "x224");

+	if(!table || !okThumbprint(digest, SHA1dlen, table)){

+		werrstr("server certificate not recognized");

+		fprint(2, "verify server certificate %.*H \n", SHA1dlen, digest);

+		fprint(2, "add thumbprint after verification\n");

+		fprint(2, "\techo 'x224 sha1=%.*H' >> %q\n", SHA1dlen, digest, "/sys/lib/tls/rdp");

+		return 0;

+	}

+	freeThumbprints(table);

+	return 1;

+}

+/* lifted from /sys/src/cmd/upas/fs/imap4.c:/^starttls */

+int

+starttls(Rdp* r)

+{

+	TLSconn c;

+	int fd, sfd;

+	fd = r->fd;

+	memset(&c, 0, sizeof c);

+	sfd = tlsClient(fd, &c);

+	if(sfd < 0){

+		werrstr("tlsClient: %r");

+		return -1;

+	}

+	if(!istrusted(c.cert, c.certlen)){

+		close(sfd);

+		return -1;

+	}

+	/* BUG: free c.cert? */

+	close(r->fd);

+	r->fd = sfd;

+	return sfd;

+}

--

⑨