summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McDermott <patrick.mcdermott@libiquity.com>2019-07-31 01:52:42 (EDT)
committer Patrick McDermott <patrick.mcdermott@libiquity.com>2019-07-31 01:52:42 (EDT)
commit56f5702a7abc8aba9804a1d45f3a5662a2121a19 (patch)
tree065c9c91edd573f2e86c3d59c944a9f74de6a88d
parent6256730f0c367def45c219027706d3adbe74276b (diff)
build: Make CA root certificates path configurable
Use of installed CA root certificates can also be disabled entirely, but that just breaks everything.
-rw-r--r--configure.ac35
-rw-r--r--src/s_client.c8
2 files changed, 41 insertions, 2 deletions
diff --git a/configure.ac b/configure.ac
index 47e9eef..0d82862 100644
--- a/configure.ac
+++ b/configure.ac
@@ -90,6 +90,41 @@ for flag in -Os -s -fno-unwind-tables -fno-asynchronous-unwind-tables \
AX_CHECK_COMPILE_FLAG([${flag}], [AX_APPEND_FLAG([${flag}])])
done
+CA_CERTS='/etc/ssl/certs'
+AC_ARG_WITH([ca-certificates],
+ [AS_HELP_STRING([--with-ca-certificates=PATH],
+ [path to CA root certificates])],
+ [
+ case "${withval}" in
+ 'yes'|'')
+ HAVE_CA_CERTS=1
+ ;;
+ 'no')
+ HAVE_CA_CERTS=0
+ ;;
+ *)
+ HAVE_CA_CERTS=1
+ CA_CERTS="${withval}"
+ ;;
+ esac
+ ],
+ [
+ AC_MSG_CHECKING([for CA root certificates])
+ if test -d "${CA_CERTS}"; then
+ AC_MSG_RESULT([${CA_CERTS}])
+ HAVE_CA_CERTS=1
+ else
+ AC_MSG_RESULT([no])
+ HAVE_CA_CERTS=0
+ fi
+ ]
+)
+AC_DEFINE_UNQUOTED([HAVE_CA_CERTS], [${HAVE_CA_CERTS}],
+ [Define to 1 to verify certificates against installed CA root
+ certificates.])
+AC_DEFINE_UNQUOTED([CA_CERTS], ["${CA_CERTS}"],
+ [Define to the path to CA root certificates.])
+
PKG_PROG_PKG_CONFIG()
PKG_CHECK_MODULES([WOLFSSL], [wolfssl])
WOLFSSL_CFLAGS="$(printf ' %s' "${WOLFSSL_CFLAGS}" | \
diff --git a/src/s_client.c b/src/s_client.c
index 37d59fb..0cd77ca 100644
--- a/src/s_client.c
+++ b/src/s_client.c
@@ -19,6 +19,10 @@
* along with wolfssl-util. If not, see <http://www.gnu.org/licenses/>.
*/
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
#include <errno.h>
#include <netdb.h>
#include <poll.h>
@@ -35,8 +39,6 @@
#include "commands.h"
-#define CA_CERTS "/etc/ssl/certs"
-
#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
#undef MAX
#define MAX(a, b) (((a) > (b)) ? (a) : (b))
@@ -313,12 +315,14 @@ s_client(int argc, char **argv)
goto error;
}
+#if defined(HAVE_CA_CERTS) && HAVE_CA_CERTS
if (wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, CA_CERTS,
WOLFSSL_LOAD_FLAG_IGNORE_ERR) !=
WOLFSSL_SUCCESS) {
fputs("Failed to load CA certificates\n", stderr);
goto error;
}
+#endif
(void) servername;
if (