From 56f5702a7abc8aba9804a1d45f3a5662a2121a19 Mon Sep 17 00:00:00 2001 From: Patrick McDermott Date: Wed, 31 Jul 2019 01:52:42 -0400 Subject: build: Make CA root certificates path configurable Use of installed CA root certificates can also be disabled entirely, but that just breaks everything. --- diff --git a/configure.ac b/configure.ac index 47e9eef..0d82862 100644 --- a/configure.ac +++ b/configure.ac @@ -90,6 +90,41 @@ for flag in -Os -s -fno-unwind-tables -fno-asynchronous-unwind-tables \ AX_CHECK_COMPILE_FLAG([${flag}], [AX_APPEND_FLAG([${flag}])]) done +CA_CERTS='/etc/ssl/certs' +AC_ARG_WITH([ca-certificates], + [AS_HELP_STRING([--with-ca-certificates=PATH], + [path to CA root certificates])], + [ + case "${withval}" in + 'yes'|'') + HAVE_CA_CERTS=1 + ;; + 'no') + HAVE_CA_CERTS=0 + ;; + *) + HAVE_CA_CERTS=1 + CA_CERTS="${withval}" + ;; + esac + ], + [ + AC_MSG_CHECKING([for CA root certificates]) + if test -d "${CA_CERTS}"; then + AC_MSG_RESULT([${CA_CERTS}]) + HAVE_CA_CERTS=1 + else + AC_MSG_RESULT([no]) + HAVE_CA_CERTS=0 + fi + ] +) +AC_DEFINE_UNQUOTED([HAVE_CA_CERTS], [${HAVE_CA_CERTS}], + [Define to 1 to verify certificates against installed CA root + certificates.]) +AC_DEFINE_UNQUOTED([CA_CERTS], ["${CA_CERTS}"], + [Define to the path to CA root certificates.]) + PKG_PROG_PKG_CONFIG() PKG_CHECK_MODULES([WOLFSSL], [wolfssl]) WOLFSSL_CFLAGS="$(printf ' %s' "${WOLFSSL_CFLAGS}" | \ diff --git a/src/s_client.c b/src/s_client.c index 37d59fb..0cd77ca 100644 --- a/src/s_client.c +++ b/src/s_client.c @@ -19,6 +19,10 @@ * along with wolfssl-util. If not, see . */ +#ifdef HAVE_CONFIG_H +#include +#endif + #include #include #include @@ -35,8 +39,6 @@ #include "commands.h" -#define CA_CERTS "/etc/ssl/certs" - #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) #undef MAX #define MAX(a, b) (((a) > (b)) ? (a) : (b)) @@ -313,12 +315,14 @@ s_client(int argc, char **argv) goto error; } +#if defined(HAVE_CA_CERTS) && HAVE_CA_CERTS if (wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, CA_CERTS, WOLFSSL_LOAD_FLAG_IGNORE_ERR) != WOLFSSL_SUCCESS) { fputs("Failed to load CA certificates\n", stderr); goto error; } +#endif (void) servername; if ( -- cgit v0.9.1