diff options
Diffstat (limited to 'tls.c')
-rw-r--r-- | tls.c | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/tls.c b/tls.c index 9e5a58d..90458c4 100644 --- a/tls.c +++ b/tls.c @@ -543,6 +543,48 @@ tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg) return (0); } +static int +load_verify_mem(SSL_CTX *ctx, void *buf, int len) +{ + X509_STORE *store; + BIO *in = NULL; + STACK_OF(X509_INFO) *inf = NULL; + X509_INFO *itmp; + int i, count = 0, ok = 0; + + store = SSL_CTX_get_cert_store(ctx); + + if ((in = BIO_new_mem_buf(buf, len)) == NULL) + goto done; + + if ((inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL)) == NULL) + goto done; + + for (i = 0; i < sk_X509_INFO_num(inf); i++) { + itmp = sk_X509_INFO_value(inf, i); + if (itmp->x509) { + if ((ok = X509_STORE_add_cert(store, itmp->x509)) == 0) + goto done; + count++; + } + if (itmp->crl) { + if ((ok = X509_STORE_add_crl(store, itmp->crl)) == 0) + goto done; + count++; + } + } + + ok = count != 0; + done: + if (count == 0) + X509err(0xfff, ERR_R_PEM_LIB); + if (inf != NULL) + sk_X509_INFO_pop_free(inf, X509_INFO_free); + if (in != NULL) + BIO_free(in); + return (ok); +} + int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) { @@ -580,7 +622,7 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) tls_set_errorx(ctx, "ca too long"); goto err; } - if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { + if (load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { tls_set_errorx(ctx, "ssl verify memory setup failure"); goto err; } |