From 56f5702a7abc8aba9804a1d45f3a5662a2121a19 Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Wed, 31 Jul 2019 01:52:42 -0400
Subject: build: Make CA root certificates path configurable

Use of installed CA root certificates can also be disabled entirely, but
that just breaks everything.
---
diff --git a/configure.ac b/configure.ac
index 47e9eef..0d82862 100644
--- a/configure.ac
+++ b/configure.ac
@@ -90,6 +90,41 @@ for flag in -Os -s -fno-unwind-tables -fno-asynchronous-unwind-tables \
 	AX_CHECK_COMPILE_FLAG([${flag}], [AX_APPEND_FLAG([${flag}])])
 done
 
+CA_CERTS='/etc/ssl/certs'
+AC_ARG_WITH([ca-certificates],
+	[AS_HELP_STRING([--with-ca-certificates=PATH],
+		[path to CA root certificates])],
+	[
+		case "${withval}" in
+			'yes'|'')
+				HAVE_CA_CERTS=1
+				;;
+			'no')
+				HAVE_CA_CERTS=0
+				;;
+			*)
+				HAVE_CA_CERTS=1
+				CA_CERTS="${withval}"
+				;;
+		esac
+	],
+	[
+		AC_MSG_CHECKING([for CA root certificates])
+		if test -d "${CA_CERTS}"; then
+			AC_MSG_RESULT([${CA_CERTS}])
+			HAVE_CA_CERTS=1
+		else
+			AC_MSG_RESULT([no])
+			HAVE_CA_CERTS=0
+		fi
+	]
+)
+AC_DEFINE_UNQUOTED([HAVE_CA_CERTS], [${HAVE_CA_CERTS}],
+	[Define to 1 to verify certificates against installed CA root
+		certificates.])
+AC_DEFINE_UNQUOTED([CA_CERTS], ["${CA_CERTS}"],
+	[Define to the path to CA root certificates.])
+
 PKG_PROG_PKG_CONFIG()
 PKG_CHECK_MODULES([WOLFSSL], [wolfssl])
 WOLFSSL_CFLAGS="$(printf ' %s' "${WOLFSSL_CFLAGS}" | \
diff --git a/src/s_client.c b/src/s_client.c
index 37d59fb..0cd77ca 100644
--- a/src/s_client.c
+++ b/src/s_client.c
@@ -19,6 +19,10 @@
  * along with wolfssl-util.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
 #include <errno.h>
 #include <netdb.h>
 #include <poll.h>
@@ -35,8 +39,6 @@
 
 #include "commands.h"
 
-#define CA_CERTS "/etc/ssl/certs"
-
 #define ARRAY_SIZE(a)  (sizeof(a) / sizeof((a)[0]))
 #undef MAX
 #define MAX(a, b)      (((a) > (b)) ? (a) : (b))
@@ -313,12 +315,14 @@ s_client(int argc, char **argv)
 		goto error;
 	}
 
+#if defined(HAVE_CA_CERTS) && HAVE_CA_CERTS
 	if (wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, CA_CERTS,
 				WOLFSSL_LOAD_FLAG_IGNORE_ERR) !=
 			WOLFSSL_SUCCESS) {
 		fputs("Failed to load CA certificates\n", stderr);
 		goto error;
 	}
+#endif
 
 	(void) servername;
 	if (
--
cgit v0.9.1