From 0486b4d689e2c9a71e367297ffc340469253332b Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Sat, 30 Jan 2021 10:52:19 +0100 Subject: tls-aux.c: add helper to obtain default cert paths ...and compile it as standalone test program. After "make check", you can check t.tls-aux.log in the build area for the defaults. Note that environment overrides can be made, see SSL_CTX_set_default_verify_paths(3) or, for instance, https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_paths.html OpenSSL 3.x may ship an openssl-env(7) manual page. --- Makefile.am | 8 ++++++-- fetchmail.h | 4 ++++ t.tls-aux | 2 ++ tls-aux.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 t.tls-aux create mode 100644 tls-aux.c diff --git a/Makefile.am b/Makefile.am index 083c5340..d7d0320c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -47,7 +47,7 @@ DEPENDENCIES= libfm.a $(LIBOBJS) check_PROGRAMS= -TESTS= t.smoke t.validate-xhtml10 t.validate-xhtml t.x509_name_match t.realpath +TESTS= t.smoke t.validate-xhtml10 t.validate-xhtml t.x509_name_match t.realpath t.tls-aux LOG_COMPILER= env LC_ALL=C TZ=UTC $(SHELL) if NEED_TRIO @@ -102,8 +102,10 @@ if NEED_GETADDRINFO fetchmail_SOURCES += libesmtp/getaddrinfo.h libesmtp/getaddrinfo.c endif +tls_aux_SOURCES = tls-aux.c + check_PROGRAMS += rfc822 unmime netrc rfc2047e mxget rfc822valid \ - x509_name_match fm_realpath + x509_name_match fm_realpath tls-aux fm_realpath_CFLAGS= -DTEST @@ -113,6 +115,8 @@ rfc822valid_CFLAGS= -DTEST rfc822_CFLAGS= -DMAIN +tls_aux_CFLAGS= -DTEST + x509_name_match_CFLAGS= -DTEST unmime_SOURCES= unmime.c diff --git a/fetchmail.h b/fetchmail.h index 902aae18..a5f15e8d 100644 --- a/fetchmail.h +++ b/fetchmail.h @@ -796,4 +796,8 @@ int ntlm_helper(int sock, struct query *ctl, const char *protocol); /* fm_realpath.c */ char *fm_realpath(const char *restrict file_name); +/* tls-aux.c */ +const char *get_default_cert_path(void); +const char *get_default_cert_file(void); + /* fetchmail.h ends here */ diff --git a/t.tls-aux b/t.tls-aux new file mode 100644 index 00000000..29f0ca12 --- /dev/null +++ b/t.tls-aux @@ -0,0 +1,2 @@ +#!/bin/sh +exec ./tls-aux diff --git a/tls-aux.c b/tls-aux.c new file mode 100644 index 00000000..a3fc7908 --- /dev/null +++ b/tls-aux.c @@ -0,0 +1,56 @@ +#include "config.h" +#include "fetchmail.h" + +#ifdef SSL_ENABLE +#include +#include +#include + +/** return a constant copy of the default SSL certificate path + * the directory with hashed certificates, see + * SSL_CTX_load_verify_locations(3), + * not to be modified by caller. */ +const char *get_default_cert_path(void) { + const char *rb = (char *)0, *tmp; + + tmp = X509_get_default_cert_dir_env(); + if (tmp) rb = getenv(tmp); + if (!rb) rb = X509_get_default_cert_dir(); + + return rb; +} + +/** return a constant copy of the default SSL certificate file + * the directory with hashed certificates, see + * SSL_CTX_load_verify_locations(3), + * not to be modified by caller. */ +const char *get_default_cert_file(void) { + const char *rb = (char *)0, *tmp; + + tmp = X509_get_default_cert_file_env(); + if (tmp) rb = getenv(tmp); + if (!rb) rb = X509_get_default_cert_file(); + + return rb; +} + +#endif /* SSL_ENABLE */ + +#ifdef TEST +#include + +int main(void) { +#ifdef SSL_ENABLE + const char *tmp; + + tmp = get_default_cert_file(); + printf("X509 default cert file: %s\n", tmp ? tmp : "(null)"); + + tmp = get_default_cert_path(); + printf("X509 default cert path: %s\n", tmp ? tmp : "(null)"); +#else + puts("SSL support not compiled in."); +#endif /* SSL_ENABLE */ + exit(EXIT_SUCCESS); +} +#endif /* TEST */ -- cgit v1.2.3