summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authortedu <>2018-11-29 14:24:23 +0000
committertedu <>2018-11-29 14:24:23 +0000
commit8e376166426749fe5f95ab4ad9e6adfc863634d1 (patch)
treeec4788d4ef28ebf5ffa8baf3093f4d98017df946 /src/lib
parentee1a55d3c708acf2230e003941964e4f2e0a2967 (diff)
downloadopenbsd-8e376166426749fe5f95ab4ad9e6adfc863634d1.tar.gz
openbsd-8e376166426749fe5f95ab4ad9e6adfc863634d1.tar.bz2
openbsd-8e376166426749fe5f95ab4ad9e6adfc863634d1.zip
expose the default cert file as a function, not a define. it's really
an internal detail of the library, so the string should live inside it, not in the application code. ok jsing
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libtls/man/tls_load_file.312
-rw-r--r--src/lib/libtls/shlib_version2
-rw-r--r--src/lib/libtls/tls.c4
-rw-r--r--src/lib/libtls/tls.h6
-rw-r--r--src/lib/libtls/tls_config.c10
5 files changed, 24 insertions, 10 deletions
diff --git a/src/lib/libtls/man/tls_load_file.3 b/src/lib/libtls/man/tls_load_file.3
index 9f738460d6..d836a04723 100644
--- a/src/lib/libtls/man/tls_load_file.3
+++ b/src/lib/libtls/man/tls_load_file.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: tls_load_file.3,v 1.10 2018/08/21 00:35:55 schwarze Exp $ 1.\" $OpenBSD: tls_load_file.3,v 1.11 2018/11/29 14:24:23 tedu Exp $
2.\" 2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> 3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> 4.\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -17,7 +17,7 @@
17.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19.\" 19.\"
20.Dd $Mdocdate: August 21 2018 $ 20.Dd $Mdocdate: November 29 2018 $
21.Dt TLS_LOAD_FILE 3 21.Dt TLS_LOAD_FILE 3
22.Os 22.Os
23.Sh NAME 23.Sh NAME
@@ -45,7 +45,8 @@
45.Nm tls_config_clear_keys , 45.Nm tls_config_clear_keys ,
46.Nm tls_config_set_verify_depth , 46.Nm tls_config_set_verify_depth ,
47.Nm tls_config_verify_client , 47.Nm tls_config_verify_client ,
48.Nm tls_config_verify_client_optional 48.Nm tls_config_verify_client_optional ,
49.Nm tls_default_ca_cert_file
49.Nd TLS certificate and key configuration 50.Nd TLS certificate and key configuration
50.Sh SYNOPSIS 51.Sh SYNOPSIS
51.In tls.h 52.In tls.h
@@ -193,6 +194,8 @@
193.Fn tls_config_verify_client "struct tls_config *config" 194.Fn tls_config_verify_client "struct tls_config *config"
194.Ft void 195.Ft void
195.Fn tls_config_verify_client_optional "struct tls_config *config" 196.Fn tls_config_verify_client_optional "struct tls_config *config"
197.Ft const char *
198.Fn tls_default_ca_cert_file "void"
196.Sh DESCRIPTION 199.Sh DESCRIPTION
197.Fn tls_load_file 200.Fn tls_load_file
198loads a certificate or key from disk into memory to be used with 201loads a certificate or key from disk into memory to be used with
@@ -210,6 +213,9 @@ unloads the memory that was returned from an earlier
210.Fn tls_load_file 213.Fn tls_load_file
211call, ensuring that the memory contents is discarded. 214call, ensuring that the memory contents is discarded.
212.Pp 215.Pp
216.Fn tls_default_ca_cert_file
217returns the path of the file that contains the default root certificates.
218.Pp
213.Fn tls_config_set_ca_file 219.Fn tls_config_set_ca_file
214sets the filename used to load a file 220sets the filename used to load a file
215containing the root certificates. 221containing the root certificates.
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index 9838ba60e3..332e3ede16 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
1major=19 1major=19
2minor=1 2minor=2
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 4362c60c80..bf1d9da81e 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.c,v 1.81 2018/11/06 20:34:54 jsing Exp $ */ 1/* $OpenBSD: tls.c,v 1.82 2018/11/29 14:24:23 tedu Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -501,7 +501,7 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
501 501
502 /* If no CA has been specified, attempt to load the default. */ 502 /* If no CA has been specified, attempt to load the default. */
503 if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { 503 if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {
504 if (tls_config_load_file(&ctx->error, "CA", TLS_CA_CERT_FILE, 504 if (tls_config_load_file(&ctx->error, "CA", tls_default_ca_cert_file(),
505 &ca_mem, &ca_len) != 0) 505 &ca_mem, &ca_len) != 0)
506 goto err; 506 goto err;
507 ca_free = ca_mem; 507 ca_free = ca_mem;
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 1b2d2c954c..560809ee19 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.h,v 1.54 2018/11/06 20:34:54 jsing Exp $ */ 1/* $OpenBSD: tls.h,v 1.55 2018/11/29 14:24:23 tedu Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -29,8 +29,6 @@ extern "C" {
29 29
30#define TLS_API 20180210 30#define TLS_API 20180210
31 31
32#define TLS_CA_CERT_FILE "/etc/ssl/cert.pem"
33
34#define TLS_PROTOCOL_TLSv1_0 (1 << 1) 32#define TLS_PROTOCOL_TLSv1_0 (1 << 1)
35#define TLS_PROTOCOL_TLSv1_1 (1 << 2) 33#define TLS_PROTOCOL_TLSv1_1 (1 << 2)
36#define TLS_PROTOCOL_TLSv1_2 (1 << 3) 34#define TLS_PROTOCOL_TLSv1_2 (1 << 3)
@@ -87,6 +85,8 @@ const char *tls_error(struct tls *_ctx);
87struct tls_config *tls_config_new(void); 85struct tls_config *tls_config_new(void);
88void tls_config_free(struct tls_config *_config); 86void tls_config_free(struct tls_config *_config);
89 87
88const char *tls_default_ca_cert_file(void);
89
90int tls_config_add_keypair_file(struct tls_config *_config, 90int tls_config_add_keypair_file(struct tls_config *_config,
91 const char *_cert_file, const char *_key_file); 91 const char *_cert_file, const char *_key_file);
92int tls_config_add_keypair_mem(struct tls_config *_config, const uint8_t *_cert, 92int tls_config_add_keypair_mem(struct tls_config *_config, const uint8_t *_cert,
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 07019252a7..9992c60661 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.52 2018/04/07 16:35:34 jsing Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.53 2018/11/29 14:24:23 tedu Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -27,6 +27,14 @@
27 27
28#include "tls_internal.h" 28#include "tls_internal.h"
29 29
30static const char default_ca_file[] = "/etc/ssl/cert.pem";
31
32const char *
33tls_default_ca_cert_file(void)
34{
35 return default_ca_file;
36}
37
30int 38int
31tls_config_load_file(struct tls_error *error, const char *filetype, 39tls_config_load_file(struct tls_error *error, const char *filetype,
32 const char *filename, char **buf, size_t *len) 40 const char *filename, char **buf, size_t *len)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 07:50:58 +0000