Use /etc/tlsdate/ca-roots/tlsdate-ca-roots.conf for certs by default; allow setting file or dir
diff --git a/Makefile.am b/Makefile.am
index 39b9b57..05173f7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -104,6 +104,7 @@
@rm -f $@-t $@
@{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
echo '#define TLSDATE_CONFIG "$(sysconfdir)/ca-roots/"'; \
+ echo '#define TLSDATE_CERTFILE "$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf"'; \
echo '#define TLSDATE_HELPER "$(bindir)/tlsdate-helper"'; \
echo '#define TLSDATE "$(bindir)/tlsdate"'; \
echo '#define TLSDATED "$(bindir)/tlsdated"'; \
diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c
index 98256ff..807375a 100644
--- a/src/tlsdate-helper.c
+++ b/src/tlsdate-helper.c
@@ -683,6 +683,7 @@
BIO *s_bio;
SSL_CTX *ctx;
SSL *ssl;
+ struct stat statbuf;
SSL_load_error_strings();
SSL_library_init();
@@ -708,8 +709,25 @@
if (ca_racket)
{
- if (1 != SSL_CTX_load_verify_locations(ctx, NULL, certdir))
- fprintf(stderr, "SSL_CTX_load_verify_locations failed\n");
+ if (-1 == stat(ca_cert_container, &statbuf))
+ {
+ die("Unable to stat CA certficate container\n");
+ } else
+ {
+ switch (statbuf.st_mode & S_IFMT)
+ {
+ case S_IFREG:
+ if (1 != SSL_CTX_load_verify_locations(ctx, ca_cert_container, NULL))
+ fprintf(stderr, "SSL_CTX_load_verify_locations failed\n");
+ break;
+ case S_IFDIR:
+ if (1 != SSL_CTX_load_verify_locations(ctx, NULL, ca_cert_container))
+ fprintf(stderr, "SSL_CTX_load_verify_locations failed\n");
+ break;
+ default:
+ die("Unable to load CA certficate container\n");
+ }
+ }
}
if (NULL == (s_bio = make_ssl_bio(ctx)))
@@ -822,7 +840,7 @@
hostname_to_verify = argv[1];
port = argv[2];
protocol = argv[3];
- certdir = argv[6];
+ ca_cert_container = argv[6];
ca_racket = (0 != strcmp ("unchecked", argv[4]));
verbose = (0 != strcmp ("quiet", argv[5]));
setclock = (0 == strcmp ("setclock", argv[7]));
diff --git a/src/tlsdate-helper.h b/src/tlsdate-helper.h
index 8c692d6..d897080 100644
--- a/src/tlsdate-helper.h
+++ b/src/tlsdate-helper.h
@@ -15,6 +15,7 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
+#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
@@ -94,7 +95,7 @@
static char *proxy;
-static const char *certdir;
+static const char *ca_cert_container;
void openssl_time_callback (const SSL* ssl, int where, int ret);
uint32_t get_certificate_keybits (EVP_PKEY *public_key);
uint32_t check_cn (SSL *ssl, const char *hostname);
diff --git a/src/tlsdate.c b/src/tlsdate.c
index 8b2fb1a..c8bc09c 100644
--- a/src/tlsdate.c
+++ b/src/tlsdate.c
@@ -89,7 +89,7 @@
" [-H|--host] [hostname|ip]\n"
" [-p|--port] [port number]\n"
" [-P|--protocol] [sslv23|sslv3|tlsv1]\n"
- " [-C|--certdir] [dirname]\n"
+ " [-C|--certcontainer] [dirname|filename]\n"
" [-v|--verbose]\n"
" [-V|--showtime]\n"
" [-t|--timewarp]\n"
@@ -108,7 +108,7 @@
const char *host;
const char *port;
const char *protocol;
- const char *certdir;
+ const char *ca_cert_container;
int timewarp;
int leap;
const char *proxy;
@@ -116,7 +116,7 @@
host = DEFAULT_HOST;
port = DEFAULT_PORT;
protocol = DEFAULT_PROTOCOL;
- certdir = DEFAULT_CERTDIR;
+ ca_cert_container = DEFAULT_CERTFILE;
verbose = 0;
ca_racket = 1;
showtime = 0;
@@ -139,7 +139,7 @@
{"port", 0, 0, 'p'},
{"protocol", 0, 0, 'P'},
{"dont-set-clock", 0, 0, 'n'},
- {"certdir", 0, 0, 'C'},
+ {"certcontainer", 0, 0, 'C'},
{"timewarp", 0, 0, 't'},
{"leap", 0, 0, 'l'},
{"proxy", 0, 0, 'x'},
@@ -160,7 +160,7 @@
case 'p': port = optarg; break;
case 'P': protocol = optarg; break;
case 'n': setclock = 0; break;
- case 'C': certdir = optarg; break;
+ case 'C': ca_cert_container = optarg; break;
case 't': timewarp = 1; break;
case 'l': leap = 1; break;
case 'x': proxy = optarg; break;
@@ -188,7 +188,7 @@
protocol,
(ca_racket ? "racket" : "unchecked"),
(verbose ? "verbose" : "quiet"),
- certdir,
+ ca_cert_container,
(setclock ? "setclock" : "dont-set-clock"),
(showtime ? "showtime" : "no-showtime"),
(timewarp ? "timewarp" : "no-fun"),
diff --git a/src/tlsdate.h b/src/tlsdate.h
index 4c918cd..f01d970 100644
--- a/src/tlsdate.h
+++ b/src/tlsdate.h
@@ -22,6 +22,7 @@
#define DEFAULT_PORT "443"
#define DEFAULT_PROTOCOL "tlsv1"
#define DEFAULT_CERTDIR "/etc/ssl/certs"
+#define DEFAULT_CERTFILE TLSDATE_CERTFILE
#define DEFAULT_DAEMON_CACHEDIR "/var/cache/tlsdated"
#define DEFAULT_DAEMON_TMPSUFFIX ".new"
#define DEFAULT_TLSDATE TLSDATE
