From: Florian Van Heghe <florian.van.heghe@guardsquare.com>
Date: Mon, 29 Nov 2021 14:22:33 +0000 (+0100)
Subject: mbedTLS: add support for CURLOPT_CAINFO_BLOB
X-Git-Tag: curl-7_81_0~121
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8443f975c0509595515d39532527c8c3e7e7313e;p=thirdparty%2Fcurl.git

mbedTLS: add support for CURLOPT_CAINFO_BLOB

Closes #8071
---

diff --git a/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.3 b/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.3
index 72923e8120..777b2e3369 100644
--- a/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.3
+++ b/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.3
@@ -61,7 +61,7 @@ if(curl) {
 .SH AVAILABILITY
 Added in 7.77.0.
 
-This option is supported by the BearSSL (since 7.79.0),
+This option is supported by the BearSSL (since 7.79.0), mbedTLS (since 7.81.0),
 OpenSSL, Secure Transport and Schannel backends.
 .SH RETURN VALUE
 Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 08c79e1624..ba5c5d7566 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -270,7 +270,10 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
 {
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   struct ssl_backend_data *backend = connssl->backend;
-  const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+  const struct curl_blob *ca_info_blob = SSL_CONN_CONFIG(ca_info_blob);
+  const char * const ssl_cafile =
+    /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
+    (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile));
   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
@@ -316,6 +319,21 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
   /* Load the trusted CA */
   mbedtls_x509_crt_init(&backend->cacert);
 
+  if(ca_info_blob) {
+    const unsigned char *blob_data = (const unsigned char *)ca_info_blob->data;
+    ret = mbedtls_x509_crt_parse(&backend->cacert, blob_data,
+                                 ca_info_blob->len);
+
+    if(ret<0) {
+      mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
+      failf(data, "Error importing ca cert blob %s - mbedTLS: (-0x%04X) %s",
+            ca_info_blob, -ret, errorbuf);
+
+      if(verifypeer)
+        return ret;
+    }
+  }
+
   if(ssl_cafile) {
     ret = mbedtls_x509_crt_parse_file(&backend->cacert, ssl_cafile);
 
@@ -1154,6 +1172,7 @@ const struct Curl_ssl Curl_ssl_mbedtls = {
   { CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */
 
   SSLSUPP_CA_PATH |
+  SSLSUPP_CAINFO_BLOB |
   SSLSUPP_PINNEDPUBKEY |
   SSLSUPP_SSL_CTX,