mbedtls: fix CURLOPT_SSLCERT_BLOB (again)

- Increase the buffer length passed to mbedtls_x509_crt_parse to account
  for the null byte appended to the temporary blob.

Follow-up to 867ad1c which uses a null terminated copy of the
certificate blob, because mbedtls_x509_crt_parse requires PEM data
to be null terminated.

Ref: https://github.com/curl/curl/commit/867ad1c#r63439893
Ref: https://github.com/curl/curl/pull/8146

Closes https://github.com/curl/curl/pull/8260

diff --git a/docs/libcurl/opts/CURLOPT_SSLCERT_BLOB.3 b/docs/libcurl/opts/CURLOPT_SSLCERT_BLOB.3
index 41a7562aed7fb62006a69ba0e6a14cf22a6caa8a..994c52b9f19ae417a37c579ad05fa189ba92c149 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_SSLCERT_BLOB.3
+++ b/docs/libcurl/opts/CURLOPT_SSLCERT_BLOB.3
@@ -33,8 +33,9 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLCERT_BLOB,
 .SH DESCRIPTION
 Pass a pointer to a curl_blob structure, which contains (pointer and size) a
 client certificate. The format must be "P12" on Secure Transport or
-Schannel. The format must be "P12" or "PEM" on OpenSSL. The string "P12" or
-"PEM" must be specified with \fICURLOPT_SSLCERTTYPE(3)\fP.
+Schannel. The format must be "P12" or "PEM" on OpenSSL. The format must be
+"DER" or "PEM" on mbedTLS. The format must be specified with
+\fICURLOPT_SSLCERTTYPE(3)\fP.
 
 If the blob is initialized with the flags member of struct curl_blob set to
 CURL_BLOB_COPY, the application does not have to keep the buffer around after
@@ -63,8 +64,8 @@ if(curl) {
 }
 .fi
 .SH AVAILABILITY
-Added in 7.71.0. This option is supported by the OpenSSL, Secure Transport and
-Schannel backends.
+Added in 7.71.0. This option is supported by the OpenSSL, Secure Transport,
+Schannel and mbedTLS (since 7.78.0) backends.
 .SH RETURN VALUE
 Returns CURLE_OK if TLS enabled, CURLE_UNKNOWN_OPTION if not, or
 CURLE_OUT_OF_MEMORY if there was insufficient heap space.

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 2d0e875e422378b6c15093a22a5f80812cde86fa..4dd7efa2b2c361ff9d80a4205318009bce2e104b 100644 (file)
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -388,7 +388,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
     memcpy(newblob, ssl_cert_blob->data, ssl_cert_blob->len);
     newblob[ssl_cert_blob->len] = 0; /* null terminate */
     ret = mbedtls_x509_crt_parse(&backend->clicert, newblob,
-                                 ssl_cert_blob->len);
+                                 ssl_cert_blob->len + 1);
     free(newblob);
 
     if(ret) {