diff options
| author | reyk <> | 2015-01-22 09:12:57 +0000 |
|---|---|---|
| committer | reyk <> | 2015-01-22 09:12:57 +0000 |
| commit | ab992313cf0983a16f4f53aa153303043aec169f (patch) | |
| tree | 42f292263609c4df75e6a4d780bcc3cc53130658 | |
| parent | 862d0b8723d1dd780e301615518a21818f474a9c (diff) | |
| download | openbsd-ab992313cf0983a16f4f53aa153303043aec169f.tar.gz openbsd-ab992313cf0983a16f4f53aa153303043aec169f.tar.bz2 openbsd-ab992313cf0983a16f4f53aa153303043aec169f.zip | |
Support CA verification in chroot'ed processes without direct file
access to the certificates. SSL_CTX_load_verify_mem() is a frontend
to the new X509_STORE_load_mem() function that allows to load the CA
chain from a memory buffer that is holding the PEM-encoded files.
This function allows to handle the verification in privsep'ed code.
Adopted for LibreSSL based on older code from relayd (by pyr@ and myself)
With feedback and OK bluhm@
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/shlib_version | 2 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl.h | 3 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_lib.c | 8 | ||||
| -rw-r--r-- | src/lib/libssl/ssl.h | 3 | ||||
| -rw-r--r-- | src/lib/libssl/ssl/shlib_version | 2 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 8 |
6 files changed, 20 insertions, 6 deletions
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version index 079346fa7b..10f084cda1 100644 --- a/src/lib/libssl/shlib_version +++ b/src/lib/libssl/shlib_version | |||
| @@ -1,2 +1,2 @@ | |||
| 1 | major=30 | 1 | major=30 |
| 2 | minor=0 | 2 | minor=1 |
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index 8302bba39c..56344085ad 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.76 2014/12/14 15:30:50 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.77 2015/01/22 09:12:57 reyk Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1755,6 +1755,7 @@ int SSL_version(const SSL *ssl); | |||
| 1755 | int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); | 1755 | int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); |
| 1756 | int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, | 1756 | int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, |
| 1757 | const char *CApath); | 1757 | const char *CApath); |
| 1758 | int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len); | ||
| 1758 | #define SSL_get0_session SSL_get_session /* just peek at pointer */ | 1759 | #define SSL_get0_session SSL_get_session /* just peek at pointer */ |
| 1759 | SSL_SESSION *SSL_get_session(const SSL *ssl); | 1760 | SSL_SESSION *SSL_get_session(const SSL *ssl); |
| 1760 | SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ | 1761 | SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ |
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 8dbd4a3f39..5bf43623fc 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.94 2014/12/15 00:46:53 doug Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.95 2015/01/22 09:12:57 reyk Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2862,6 +2862,12 @@ SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, | |||
| 2862 | return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); | 2862 | return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); |
| 2863 | } | 2863 | } |
| 2864 | 2864 | ||
| 2865 | int | ||
| 2866 | SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len) | ||
| 2867 | { | ||
| 2868 | return (X509_STORE_load_mem(ctx->cert_store, buf, len)); | ||
| 2869 | } | ||
| 2870 | |||
| 2865 | void | 2871 | void |
| 2866 | SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) | 2872 | SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) |
| 2867 | { | 2873 | { |
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 8302bba39c..56344085ad 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.76 2014/12/14 15:30:50 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.77 2015/01/22 09:12:57 reyk Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1755,6 +1755,7 @@ int SSL_version(const SSL *ssl); | |||
| 1755 | int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); | 1755 | int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); |
| 1756 | int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, | 1756 | int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, |
| 1757 | const char *CApath); | 1757 | const char *CApath); |
| 1758 | int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len); | ||
| 1758 | #define SSL_get0_session SSL_get_session /* just peek at pointer */ | 1759 | #define SSL_get0_session SSL_get_session /* just peek at pointer */ |
| 1759 | SSL_SESSION *SSL_get_session(const SSL *ssl); | 1760 | SSL_SESSION *SSL_get_session(const SSL *ssl); |
| 1760 | SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ | 1761 | SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ |
diff --git a/src/lib/libssl/ssl/shlib_version b/src/lib/libssl/ssl/shlib_version index 079346fa7b..10f084cda1 100644 --- a/src/lib/libssl/ssl/shlib_version +++ b/src/lib/libssl/ssl/shlib_version | |||
| @@ -1,2 +1,2 @@ | |||
| 1 | major=30 | 1 | major=30 |
| 2 | minor=0 | 2 | minor=1 |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 8dbd4a3f39..5bf43623fc 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.94 2014/12/15 00:46:53 doug Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.95 2015/01/22 09:12:57 reyk Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2862,6 +2862,12 @@ SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, | |||
| 2862 | return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); | 2862 | return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); |
| 2863 | } | 2863 | } |
| 2864 | 2864 | ||
| 2865 | int | ||
| 2866 | SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len) | ||
| 2867 | { | ||
| 2868 | return (X509_STORE_load_mem(ctx->cert_store, buf, len)); | ||
| 2869 | } | ||
| 2870 | |||
| 2865 | void | 2871 | void |
| 2866 | SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) | 2872 | SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) |
| 2867 | { | 2873 | { |