Add X509_STORE_load_mem() to load certificates from a memory buffer

instead of disk.  OpenSSL didn't provide a built-in API from loading
certificates in a chroot'ed process that doesn't have direct access to
the files.  X509_STORE_load_mem() provides a new backend that will be
used by libssl and libtls to implement such privsep-friendly
functionality.

Adopted for LibreSSL based on older code from relayd (by pyr@ and myself)
With feedback and OK bluhm@

1 files changed, 21 insertions, 1 deletions

diff --git a/src/lib/libcrypto/x509/x509_d2.c b/src/lib/libcrypto/x509/x509_d2.c
index cc22f4f470..5b0f80adda 100644
--- a/src/lib/libcrypto/x509/x509_d2.c
+++ b/src/lib/libcrypto/x509/x509_d2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_d2.c,v 1.9 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: x509_d2.c,v 1.10 2015/01/22 09:06:39 reyk Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <sys/uio.h>
 
 #include <openssl/crypto.h>
 #include <openssl/err.h>
@@ -106,3 +107,22 @@ X509_STORE_load_locations(X509_STORE *ctx, const char *file, const char *path)
                 return (0);
         return (1);
 }
+
+int
+X509_STORE_load_mem(X509_STORE *ctx, void *buf, int len)
+{
+        X509_LOOKUP             *lookup;
+        struct iovec             iov;
+
+        lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_mem());
+        if (lookup == NULL)
+                return (0);
+
+        iov.iov_base = buf;
+        iov.iov_len = len;
+
+        if (X509_LOOKUP_add_mem(lookup, &iov, X509_FILETYPE_PEM) != 1)
+                return (0);
+
+        return (1);
+}