[PATCH] libressl/apps: load trusted ca certificates as specified on the command line

Thu, 10 Jul 2014 20:08:16 -0700 

This is a fix for OpenSSL tickets #977 and #3213, loosely based on patch from
Reuben Thomas from #3213.
---
 src/apps/s_client.c |    5 +++--
 src/apps/s_server.c |   10 ++++++----
 src/apps/s_time.c   |    5 +++--
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/apps/s_client.c b/src/apps/s_client.c
index f693d10..3ffedcc 100644
--- a/src/apps/s_client.c
+++ b/src/apps/s_client.c
@@ -870,8 +870,9 @@ bad:
        if (!set_cert_key_stuff(ctx, cert, key))
                goto end;
 
-       if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
-           (!SSL_CTX_set_default_verify_paths(ctx))) {
+       if (!((CAfile || CApath) ?
+                       SSL_CTX_load_verify_locations(ctx, CAfile, CApath) :
+                       SSL_CTX_set_default_verify_paths(ctx))) {
                /*
                 * BIO_printf(bio_err,"error setting default verify
                 * locations\n");
diff --git a/src/apps/s_server.c b/src/apps/s_server.c
index 3f71740..9a20deb 100644
--- a/src/apps/s_server.c
+++ b/src/apps/s_server.c
@@ -1167,8 +1167,9 @@ bad:
 #endif
 
 
-       if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
-           (!SSL_CTX_set_default_verify_paths(ctx))) {
+       if (!((CAfile || CApath) ?
+                       SSL_CTX_load_verify_locations(ctx, CAfile, CApath) :
+                       SSL_CTX_set_default_verify_paths(ctx))) {
                /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
                ERR_print_errors(bio_err);
                /* goto end; */
@@ -1222,8 +1223,9 @@ bad:
                else
                        SSL_CTX_sess_set_cache_size(ctx2, 128);
 
-               if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
-                   (!SSL_CTX_set_default_verify_paths(ctx2))) {
+               if (!((CAfile || CApath) ?
+                               SSL_CTX_load_verify_locations(ctx2, CAfile, 
CApath) :
+                               SSL_CTX_set_default_verify_paths(ctx2))) {
                        ERR_print_errors(bio_err);
                }
                if (vpm)
diff --git a/src/apps/s_time.c b/src/apps/s_time.c
index 960ba4e..4dbd906 100644
--- a/src/apps/s_time.c
+++ b/src/apps/s_time.c
@@ -346,8 +346,9 @@ s_time_main(int argc, char **argv)
 
        SSL_load_error_strings();
 
-       if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
-           (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
+       if (!((CAfile || CApath) ?
+                       SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath) :
+                       SSL_CTX_set_default_verify_paths(tm_ctx))) {
                /*
                 * BIO_printf(bio_err,"error setting default verify
                 * locations\n");
-- 
1.7.10.4

Reply via email to