From: Disyer <daniel@tohka.us>
Date: Mon, 17 Jul 2023 13:46:34 +0000 (+0300)
Subject: wolfssl: support loading system CA certificates
X-Git-Tag: curl-8_3_0~274
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f9c20d49f3817a355520d9445b48850599a319b;p=thirdparty%2Fcurl.git

wolfssl: support loading system CA certificates

Closes #11452
---

diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words
index a9e2a7aaad..7be1719b43 100644
--- a/.github/scripts/spellcheck.words
+++ b/.github/scripts/spellcheck.words
@@ -150,6 +150,7 @@ cyassl
 Cygwin
 daniel
 datatracker
+Debian
 decrypt
 deepcode
 DELE
@@ -216,6 +217,7 @@ Falkeborn
 Fandrich
 Fastly
 fcpp
+Fedora
 Feltzing
 ffi
 filesize
@@ -243,6 +245,7 @@ gcc
 GCM
 gdb
 Genode
+Gentoo
 Gergely
 getaddrinfo
 getenv
@@ -624,6 +627,7 @@ resending
 RETR
 retransmit
 retrigger
+RHEL
 RICS
 Rikard
 rmdir
@@ -785,6 +789,7 @@ tvOS
 txt
 typedef
 typedefed
+Ubuntu
 ucLinux
 UDP
 UI
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3
index 199b6a76c3..bbc4af8561 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3
@@ -62,9 +62,11 @@ library). If combined with \fICURLSSLOPT_NO_REVOKE\fP, the latter takes
 precedence. (Added in 7.70.0)
 .IP CURLSSLOPT_NATIVE_CA
 Tell libcurl to use the operating system's native CA store for certificate
-verification. Works only on Windows when built to use OpenSSL. If you set this
-option and also set a CA certificate file or directory then during verification
-those certificates are searched in addition to the native CA store.
+verification. Works only on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora,
+RHEL), macOS, Android and iOS when built to use wolfSSL (since 8.3.0) or on
+Windows when built to use OpenSSL. If you set this option and also set a CA
+certificate file or directory then during verification those certificates
+are searched in addition to the native CA store.
 (Added in 7.71.0)
 .IP CURLSSLOPT_AUTO_CLIENT_CERT
 Tell libcurl to automatically locate and use a client certificate for
diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
index 3e3d053064..881196ebf8 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
@@ -61,9 +61,11 @@ library). If combined with \fICURLSSLOPT_NO_REVOKE\fP, the latter takes
 precedence. (Added in 7.70.0)
 .IP CURLSSLOPT_NATIVE_CA
 Tell libcurl to use the operating system's native CA store for certificate
-verification. Works only on Windows when built to use OpenSSL. If you set this
-option and also set a CA certificate file or directory then during verification
-those certificates are searched in addition to the native CA store.
+verification. Works only on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora,
+RHEL), macOS, Android and iOS when built to use wolfSSL (since 8.3.0) or on
+Windows when built to use OpenSSL. If you set this option and also set a CA
+certificate file or directory then during verification those certificates
+are searched in addition to the native CA store.
 (Added in 7.71.0)
 .IP CURLSSLOPT_AUTO_CLIENT_CERT
 Tell libcurl to automatically locate and use a client certificate for
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 6cfc201c93..623ec772c8 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -372,6 +372,7 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
 #else
 #define use_sni(x)  Curl_nop_stmt
 #endif
+  bool imported_native_ca = false;
   bool imported_ca_info_blob = false;
 
   DEBUGASSERT(backend);
@@ -507,13 +508,32 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
     }
   }
 
+#ifndef NO_FILESYSTEM
+  /* load native CA certificates */
+  if(ssl_config->native_ca_store) {
+    if(wolfSSL_CTX_load_system_CA_certs(backend->ctx) != WOLFSSL_SUCCESS) {
+      infof(data, "error importing native CA store, continuing anyway");
+    }
+    else {
+      imported_native_ca = true;
+      infof(data, "successfully imported native CA store");
+    }
+  }
+#endif /* !NO_FILESYSTEM */
+
+  /* load certificate blob */
   if(ca_info_blob) {
     if(wolfSSL_CTX_load_verify_buffer(
       backend->ctx, ca_info_blob->data, ca_info_blob->len,
       SSL_FILETYPE_PEM
     ) != SSL_SUCCESS) {
-      failf(data, "error importing CA certificate blob");
-      return CURLE_SSL_CACERT_BADFILE;
+      if(imported_native_ca) {
+        infof(data, "error importing CA certificate blob, continuing anyway");
+      }
+      else {
+        failf(data, "error importing CA certificate blob");
+        return CURLE_SSL_CACERT_BADFILE;
+      }
     }
     else {
       imported_ca_info_blob = true;
@@ -527,7 +547,8 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
     if(1 != SSL_CTX_load_verify_locations(backend->ctx,
                                       conn_config->CAfile,
                                       conn_config->CApath)) {
-      if(conn_config->verifypeer && !imported_ca_info_blob) {
+      if(conn_config->verifypeer && !imported_ca_info_blob &&
+         !imported_native_ca) {
         /* Fail if we insist on successfully verifying the server. */
         failf(data, "error setting certificate verify locations:"
               " CAfile: %s CApath: %s",