From 138944aeef27fb00df60db6f46ef653726b4ca5a Mon Sep 17 00:00:00 2001
From: reyk <>
Date: Thu, 22 Jan 2015 09:16:24 +0000
Subject: Allow to to load the CA chain directly from memory instead of
 specifying a file.  This enables CA verification in privsep'ed processes that
 are running chroot'ed without direct access to the certificate files.

With feedback, tests, and OK from bluhm@
---
 src/lib/libtls/tls_client.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'src/lib/libtls/tls_client.c')

diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index c6117c3292..4a9a4c976d 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.8 2015/01/13 17:35:35 bluhm Exp $ */
+/* $OpenBSD: tls_client.c,v 1.9 2015/01/22 09:16:24 reyk Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -21,6 +21,7 @@
 #include <arpa/inet.h>
 #include <netinet/in.h>
 
+#include <limits.h>
 #include <netdb.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -168,7 +169,19 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
 	if (ctx->config->verify_cert) {
 		SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
 
-		if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
+		if (ctx->config->ca_mem != NULL) {
+			if (ctx->config->ca_len > INT_MAX) {
+				tls_set_error(ctx, "ca too long");
+				goto err;
+			}
+
+			if (SSL_CTX_load_verify_mem(ctx->ssl_ctx,
+			    ctx->config->ca_mem, ctx->config->ca_len) != 1) {
+				tls_set_error(ctx,
+				    "ssl verify memory setup failure");
+				goto err;
+			}
+		} else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
 		    ctx->config->ca_file, ctx->config->ca_path) != 1) {
 			tls_set_error(ctx, "ssl verify setup failure");
 			goto err;
-- 
cgit v1.2.3-55-g6feb