diff options
| author | Patrick McDermott <patrick.mcdermott@libiquity.com> | 2019-07-31 01:52:42 (EDT) |
|---|---|---|
| committer | Patrick McDermott <patrick.mcdermott@libiquity.com> | 2019-07-31 01:52:42 (EDT) |
| commit | 56f5702a7abc8aba9804a1d45f3a5662a2121a19 (patch) | |
| tree | 065c9c91edd573f2e86c3d59c944a9f74de6a88d | |
| parent | 6256730f0c367def45c219027706d3adbe74276b (diff) | |
build: Make CA root certificates path configurable
Use of installed CA root certificates can also be disabled entirely, but
that just breaks everything.
| -rw-r--r-- | configure.ac | 35 | ||||
| -rw-r--r-- | src/s_client.c | 8 |
2 files changed, 41 insertions, 2 deletions
diff --git a/configure.ac b/configure.ac index 47e9eef..0d82862 100644 --- a/configure.ac +++ b/configure.ac @@ -90,6 +90,41 @@ for flag in -Os -s -fno-unwind-tables -fno-asynchronous-unwind-tables \ AX_CHECK_COMPILE_FLAG([${flag}], [AX_APPEND_FLAG([${flag}])]) done +CA_CERTS='/etc/ssl/certs' +AC_ARG_WITH([ca-certificates], + [AS_HELP_STRING([--with-ca-certificates=PATH], + [path to CA root certificates])], + [ + case "${withval}" in + 'yes'|'') + HAVE_CA_CERTS=1 + ;; + 'no') + HAVE_CA_CERTS=0 + ;; + *) + HAVE_CA_CERTS=1 + CA_CERTS="${withval}" + ;; + esac + ], + [ + AC_MSG_CHECKING([for CA root certificates]) + if test -d "${CA_CERTS}"; then + AC_MSG_RESULT([${CA_CERTS}]) + HAVE_CA_CERTS=1 + else + AC_MSG_RESULT([no]) + HAVE_CA_CERTS=0 + fi + ] +) +AC_DEFINE_UNQUOTED([HAVE_CA_CERTS], [${HAVE_CA_CERTS}], + [Define to 1 to verify certificates against installed CA root + certificates.]) +AC_DEFINE_UNQUOTED([CA_CERTS], ["${CA_CERTS}"], + [Define to the path to CA root certificates.]) + PKG_PROG_PKG_CONFIG() PKG_CHECK_MODULES([WOLFSSL], [wolfssl]) WOLFSSL_CFLAGS="$(printf ' %s' "${WOLFSSL_CFLAGS}" | \ diff --git a/src/s_client.c b/src/s_client.c index 37d59fb..0cd77ca 100644 --- a/src/s_client.c +++ b/src/s_client.c @@ -19,6 +19,10 @@ * along with wolfssl-util. If not, see <http://www.gnu.org/licenses/>. */ +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + #include <errno.h> #include <netdb.h> #include <poll.h> @@ -35,8 +39,6 @@ #include "commands.h" -#define CA_CERTS "/etc/ssl/certs" - #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) #undef MAX #define MAX(a, b) (((a) > (b)) ? (a) : (b)) @@ -313,12 +315,14 @@ s_client(int argc, char **argv) goto error; } +#if defined(HAVE_CA_CERTS) && HAVE_CA_CERTS if (wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, CA_CERTS, WOLFSSL_LOAD_FLAG_IGNORE_ERR) != WOLFSSL_SUCCESS) { fputs("Failed to load CA certificates\n", stderr); goto error; } +#endif (void) servername; if ( |