Implement "Authentication Domain Names" configuration as per RFC 8310 - wireguard-openbsd - WireGuard implementation for the OpenBSD kernel

diff options

author	florian <florian@openbsd.org>	2019-04-01 03:31:55 +0000
committer	florian <florian@openbsd.org>	2019-04-01 03:31:55 +0000
commit	3461bfbe26fa73f3bbe2417f40539d34ecb631c5 (patch)
tree	c91e57ca843638531297ab271606beba65363651 /lib/libm/src
parent	deprecate TASKQ_CANTSLEEP since nothing uses it anymore (diff)
download	wireguard-openbsd-3461bfbe26fa73f3bbe2417f40539d34ecb631c5.tar.xz wireguard-openbsd-3461bfbe26fa73f3bbe2417f40539d34ecb631c5.zip

Implement "Authentication Domain Names" configuration as per RFC 8310

section 7.1 for DoT servers. We are setting the CA cert bundle path (/etc/ssl/cert.pem) directly in libunbound so we need to losen pledge(2) a bit and allow rpath. At the same time we unveil only /etc/ssl/cert.pem. We can drop the chroot(2) since pledge(2) and unveil(2) give us more fine grained isolation. prodding by tb@. p.s. for portable it might be necessary to pass in a file descriptor from the parent, slurp in the file and then use X509_STORE_load_mem() (pointed out by sthen) in the guts of libunbound.

Diffstat (limited to 'lib/libm/src')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: