From 8e376166426749fe5f95ab4ad9e6adfc863634d1 Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Thu, 29 Nov 2018 14:24:23 +0000
Subject: expose the default cert file as a function, not a define. it's really
 an internal detail of the library, so the string should live inside it, not
 in the application code. ok jsing

---
 src/lib/libtls/man/tls_load_file.3 | 12 +++++++++---
 src/lib/libtls/shlib_version       |  2 +-
 src/lib/libtls/tls.c               |  4 ++--
 src/lib/libtls/tls.h               |  6 +++---
 src/lib/libtls/tls_config.c        | 10 +++++++++-
 5 files changed, 24 insertions(+), 10 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libtls/man/tls_load_file.3 b/src/lib/libtls/man/tls_load_file.3
index 9f738460d6..d836a04723 100644
--- a/src/lib/libtls/man/tls_load_file.3
+++ b/src/lib/libtls/man/tls_load_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_load_file.3,v 1.10 2018/08/21 00:35:55 schwarze Exp $
+.\" $OpenBSD: tls_load_file.3,v 1.11 2018/11/29 14:24:23 tedu Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 21 2018 $
+.Dd $Mdocdate: November 29 2018 $
 .Dt TLS_LOAD_FILE 3
 .Os
 .Sh NAME
@@ -45,7 +45,8 @@
 .Nm tls_config_clear_keys ,
 .Nm tls_config_set_verify_depth ,
 .Nm tls_config_verify_client ,
-.Nm tls_config_verify_client_optional
+.Nm tls_config_verify_client_optional ,
+.Nm tls_default_ca_cert_file
 .Nd TLS certificate and key configuration
 .Sh SYNOPSIS
 .In tls.h
@@ -193,6 +194,8 @@
 .Fn tls_config_verify_client "struct tls_config *config"
 .Ft void
 .Fn tls_config_verify_client_optional "struct tls_config *config"
+.Ft const char *
+.Fn tls_default_ca_cert_file "void"
 .Sh DESCRIPTION
 .Fn tls_load_file
 loads a certificate or key from disk into memory to be used with
@@ -210,6 +213,9 @@ unloads the memory that was returned from an earlier
 .Fn tls_load_file
 call, ensuring that the memory contents is discarded.
 .Pp
+.Fn tls_default_ca_cert_file
+returns the path of the file that contains the default root certificates.
+.Pp
 .Fn tls_config_set_ca_file
 sets the filename used to load a file
 containing the root certificates.
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index 9838ba60e3..332e3ede16 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
 major=19
-minor=1
+minor=2
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 4362c60c80..bf1d9da81e 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.81 2018/11/06 20:34:54 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.82 2018/11/29 14:24:23 tedu Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -501,7 +501,7 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 
 	/* If no CA has been specified, attempt to load the default. */
 	if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {
-		if (tls_config_load_file(&ctx->error, "CA", TLS_CA_CERT_FILE,
+		if (tls_config_load_file(&ctx->error, "CA", tls_default_ca_cert_file(),
 		    &ca_mem, &ca_len) != 0)
 			goto err;
 		ca_free = ca_mem;
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 1b2d2c954c..560809ee19 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.54 2018/11/06 20:34:54 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.55 2018/11/29 14:24:23 tedu Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -29,8 +29,6 @@ extern "C" {
 
 #define TLS_API	20180210
 
-#define TLS_CA_CERT_FILE	"/etc/ssl/cert.pem"
-
 #define TLS_PROTOCOL_TLSv1_0	(1 << 1)
 #define TLS_PROTOCOL_TLSv1_1	(1 << 2)
 #define TLS_PROTOCOL_TLSv1_2	(1 << 3)
@@ -87,6 +85,8 @@ const char *tls_error(struct tls *_ctx);
 struct tls_config *tls_config_new(void);
 void tls_config_free(struct tls_config *_config);
 
+const char *tls_default_ca_cert_file(void);
+
 int tls_config_add_keypair_file(struct tls_config *_config,
     const char *_cert_file, const char *_key_file);
 int tls_config_add_keypair_mem(struct tls_config *_config, const uint8_t *_cert,
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 07019252a7..9992c60661 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.52 2018/04/07 16:35:34 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.53 2018/11/29 14:24:23 tedu Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -27,6 +27,14 @@
 
 #include "tls_internal.h"
 
+static const char default_ca_file[] = "/etc/ssl/cert.pem";
+
+const char *
+tls_default_ca_cert_file(void)
+{
+	return default_ca_file;
+}
+
 int
 tls_config_load_file(struct tls_error *error, const char *filetype,
     const char *filename, char **buf, size_t *len)
-- 
cgit v1.2.3-55-g6feb