Allow to to load the CA chain directly from memory instead of

specifying a file.  This enables CA verification in privsep'ed
processes that are running chroot'ed without direct access to the
certificate files.

With feedback, tests, and OK from bluhm@

1 files changed, 9 insertions, 2 deletions

diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index e870078225..df2dfc8a41 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.6 2015/01/01 13:30:52 schwarze Exp $
+.\" $OpenBSD: tls_init.3,v 1.7 2015/01/22 09:16:24 reyk Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 1 2015 $
+.Dd $Mdocdate: January 22 2015 $
 .Dt TLS 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm tls_config_free ,
 .Nm tls_config_set_ca_file ,
 .Nm tls_config_set_ca_path ,
+.Nm tls_config_set_ca_mem ,
 .Nm tls_config_set_cert_file ,
 .Nm tls_config_set_cert_mem ,
 .Nm tls_config_set_ciphers ,
@@ -63,6 +64,8 @@
 .Ft "int"
 .Fn tls_config_set_ca_path "struct tls_config *config" "const char *ca_path"
 .Ft "int"
+.Fn tls_config_set_ca_mem "struct tls_config *config" "const uint8_t *cert" "size_t len"
+.Ft "int"
 .Fn tls_config_set_cert_file "struct tls_config *config" "const char *cert_file"
 .Ft "int"
 .Fn tls_config_set_cert_mem  "struct tls_config *config" "const uint8_t *cert" "size_t len"
@@ -198,6 +201,10 @@ sets the path (directory) which should be searched for root
 certificates.
 .Em (Client)
 .It
+.Fn tls_config_set_ca_mem
+sets the root certificates directly from memory.
+.Em (Client)
+.It
 .Fn tls_config_set_cert_file
 sets file from which the public certificate will be read.
 .Em (Client and server)