Support CA verification in chroot'ed processes without direct file

access to the certificates.  SSL_CTX_load_verify_mem() is a frontend
to the new X509_STORE_load_mem() function that allows to load the CA
chain from a memory buffer that is holding the PEM-encoded files.
This function allows to handle the verification in privsep'ed code.

Adopted for LibreSSL based on older code from relayd (by pyr@ and myself)
With feedback and OK bluhm@

diff --git a/lib/libssl/shlib_version b/lib/libssl/shlib_version
index 079346f..10f084c 100644 (file)
--- a/lib/libssl/shlib_version
+++ b/lib/libssl/shlib_version
@@ -1,2 +1,2 @@
 major=30
-minor=0
+minor=1

diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h
index 8302bba..5634408 100644 (file)
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.76 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.77 2015/01/22 09:12:57 reyk Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1755,6 +1755,7 @@ int SSL_version(const SSL *ssl);
 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
     const char *CApath);
+int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len);
 #define SSL_get0_session SSL_get_session /* just peek at pointer */
 SSL_SESSION *SSL_get_session(const SSL *ssl);
 SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */

diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c
index 8dbd4a3..5bf4362 100644 (file)
--- a/lib/libssl/src/ssl/ssl_lib.c
+++ b/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.94 2014/12/15 00:46:53 doug Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.95 2015/01/22 09:12:57 reyk Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2862,6 +2862,12 @@ SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
        return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath));
 }
 
+int
+SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len)
+{
+       return (X509_STORE_load_mem(ctx->cert_store, buf, len));
+}
+
 void
 SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val))
 {

diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 8302bba..5634408 100644 (file)
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.76 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.77 2015/01/22 09:12:57 reyk Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1755,6 +1755,7 @@ int SSL_version(const SSL *ssl);
 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
     const char *CApath);
+int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len);
 #define SSL_get0_session SSL_get_session /* just peek at pointer */
 SSL_SESSION *SSL_get_session(const SSL *ssl);
 SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */

diff --git a/lib/libssl/ssl/shlib_version b/lib/libssl/ssl/shlib_version
index 079346f..10f084c 100644 (file)
--- a/lib/libssl/ssl/shlib_version
+++ b/lib/libssl/ssl/shlib_version
@@ -1,2 +1,2 @@
 major=30
-minor=0
+minor=1

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 8dbd4a3..5bf4362 100644 (file)
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.94 2014/12/15 00:46:53 doug Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.95 2015/01/22 09:12:57 reyk Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2862,6 +2862,12 @@ SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
        return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath));
 }
 
+int
+SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len)
+{
+       return (X509_STORE_load_mem(ctx->cert_store, buf, len));
+}
+
 void
 SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val))
 {