From: reyk Date: Thu, 22 Jan 2015 09:12:57 +0000 (+0000) Subject: Support CA verification in chroot'ed processes without direct file X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=3c243a36a609d4fb1d6272a2521af115922fd786;p=openbsd Support CA verification in chroot'ed processes without direct file access to the certificates. SSL_CTX_load_verify_mem() is a frontend to the new X509_STORE_load_mem() function that allows to load the CA chain from a memory buffer that is holding the PEM-encoded files. This function allows to handle the verification in privsep'ed code. Adopted for LibreSSL based on older code from relayd (by pyr@ and myself) With feedback and OK bluhm@ --- diff --git a/lib/libssl/shlib_version b/lib/libssl/shlib_version index 079346fa7b1..10f084cda1d 100644 --- a/lib/libssl/shlib_version +++ b/lib/libssl/shlib_version @@ -1,2 +1,2 @@ major=30 -minor=0 +minor=1 diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h index 8302bba39c5..56344085ada 100644 --- a/lib/libssl/src/ssl/ssl.h +++ b/lib/libssl/src/ssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.76 2014/12/14 15:30:50 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.77 2015/01/22 09:12:57 reyk Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1755,6 +1755,7 @@ int SSL_version(const SSL *ssl); int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); +int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len); #define SSL_get0_session SSL_get_session /* just peek at pointer */ SSL_SESSION *SSL_get_session(const SSL *ssl); SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index 8dbd4a3f392..5bf43623fc8 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.94 2014/12/15 00:46:53 doug Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.95 2015/01/22 09:12:57 reyk Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2862,6 +2862,12 @@ SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); } +int +SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len) +{ + return (X509_STORE_load_mem(ctx->cert_store, buf, len)); +} + void SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) { diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index 8302bba39c5..56344085ada 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.76 2014/12/14 15:30:50 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.77 2015/01/22 09:12:57 reyk Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1755,6 +1755,7 @@ int SSL_version(const SSL *ssl); int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); +int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len); #define SSL_get0_session SSL_get_session /* just peek at pointer */ SSL_SESSION *SSL_get_session(const SSL *ssl); SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ diff --git a/lib/libssl/ssl/shlib_version b/lib/libssl/ssl/shlib_version index 079346fa7b1..10f084cda1d 100644 --- a/lib/libssl/ssl/shlib_version +++ b/lib/libssl/ssl/shlib_version @@ -1,2 +1,2 @@ major=30 -minor=0 +minor=1 diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 8dbd4a3f392..5bf43623fc8 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.94 2014/12/15 00:46:53 doug Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.95 2015/01/22 09:12:57 reyk Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2862,6 +2862,12 @@ SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); } +int +SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len) +{ + return (X509_STORE_load_mem(ctx->cert_store, buf, len)); +} + void SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) {