diff options
| author |   tedu <tedu@openbsd.org> | 2018-11-29 14:24:23 +0000 |
|---|---|---|
| committer | tedu <tedu@openbsd.org> | 2018-11-29 14:24:23 +0000 |
| commit | f6b75673f6c960a9743bfd16c1e52dd100265c68 (patch) | |
| tree | df641ebe0d59f69d626019a53113f79b333041bb /lib/libtls | |
| parent | introduce FILTER_COMMIT which will allow taking a decision at DATA commit (diff) | |
| download | wireguard-openbsd-f6b75673f6c960a9743bfd16c1e52dd100265c68.tar.xz wireguard-openbsd-f6b75673f6c960a9743bfd16c1e52dd100265c68.zip | |
expose the default cert file as a function, not a define. it's really
an internal detail of the library, so the string should live inside it,
not in the application code.
ok jsing
Diffstat (limited to 'lib/libtls')
| -rw-r--r-- | lib/libtls/man/tls_load_file.3 | 12 | ||||
| -rw-r--r-- | lib/libtls/shlib_version | 2 | ||||
| -rw-r--r-- | lib/libtls/tls.c | 4 | ||||
| -rw-r--r-- | lib/libtls/tls.h | 6 | ||||
| -rw-r--r-- | lib/libtls/tls_config.c | 10 |
5 files changed, 24 insertions, 10 deletions
diff --git a/lib/libtls/man/tls_load_file.3 b/lib/libtls/man/tls_load_file.3 index 9f738460d64..d836a04723a 100644 --- a/lib/libtls/man/tls_load_file.3 +++ b/lib/libtls/man/tls_load_file.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_load_file.3,v 1.10 2018/08/21 00:35:55 schwarze Exp $ +.\" $OpenBSD: tls_load_file.3,v 1.11 2018/11/29 14:24:23 tedu Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> @@ -17,7 +17,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 21 2018 $ +.Dd $Mdocdate: November 29 2018 $ .Dt TLS_LOAD_FILE 3 .Os .Sh NAME @@ -45,7 +45,8 @@ .Nm tls_config_clear_keys , .Nm tls_config_set_verify_depth , .Nm tls_config_verify_client , -.Nm tls_config_verify_client_optional +.Nm tls_config_verify_client_optional , +.Nm tls_default_ca_cert_file .Nd TLS certificate and key configuration .Sh SYNOPSIS .In tls.h @@ -193,6 +194,8 @@ .Fn tls_config_verify_client "struct tls_config *config" .Ft void .Fn tls_config_verify_client_optional "struct tls_config *config" +.Ft const char * +.Fn tls_default_ca_cert_file "void" .Sh DESCRIPTION .Fn tls_load_file loads a certificate or key from disk into memory to be used with @@ -210,6 +213,9 @@ unloads the memory that was returned from an earlier .Fn tls_load_file call, ensuring that the memory contents is discarded. .Pp +.Fn tls_default_ca_cert_file +returns the path of the file that contains the default root certificates. +.Pp .Fn tls_config_set_ca_file sets the filename used to load a file containing the root certificates. diff --git a/lib/libtls/shlib_version b/lib/libtls/shlib_version index 9838ba60e39..332e3ede16f 100644 --- a/lib/libtls/shlib_version +++ b/lib/libtls/shlib_version @@ -1,2 +1,2 @@ major=19 -minor=1 +minor=2 diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index 4362c60c805..bf1d9da81ea 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.81 2018/11/06 20:34:54 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.82 2018/11/29 14:24:23 tedu Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -501,7 +501,7 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) /* If no CA has been specified, attempt to load the default. */ if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { - if (tls_config_load_file(&ctx->error, "CA", TLS_CA_CERT_FILE, + if (tls_config_load_file(&ctx->error, "CA", tls_default_ca_cert_file(), &ca_mem, &ca_len) != 0) goto err; ca_free = ca_mem; diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 1b2d2c954cc..560809ee190 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.54 2018/11/06 20:34:54 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.55 2018/11/29 14:24:23 tedu Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -29,8 +29,6 @@ extern "C" { #define TLS_API 20180210 -#define TLS_CA_CERT_FILE "/etc/ssl/cert.pem" - #define TLS_PROTOCOL_TLSv1_0 (1 << 1) #define TLS_PROTOCOL_TLSv1_1 (1 << 2) #define TLS_PROTOCOL_TLSv1_2 (1 << 3) @@ -87,6 +85,8 @@ const char *tls_error(struct tls *_ctx); struct tls_config *tls_config_new(void); void tls_config_free(struct tls_config *_config); +const char *tls_default_ca_cert_file(void); + int tls_config_add_keypair_file(struct tls_config *_config, const char *_cert_file, const char *_key_file); int tls_config_add_keypair_mem(struct tls_config *_config, const uint8_t *_cert, diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 07019252a7d..9992c606616 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.52 2018/04/07 16:35:34 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.53 2018/11/29 14:24:23 tedu Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -27,6 +27,14 @@ #include "tls_internal.h" +static const char default_ca_file[] = "/etc/ssl/cert.pem"; + +const char * +tls_default_ca_cert_file(void) +{ + return default_ca_file; +} + int tls_config_load_file(struct tls_error *error, const char *filetype, const char *filename, char **buf, size_t *len) |