From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 17 Dec 2025 11:31:39 +0000 (+0100)
Subject: apple sectrust: fix ancient evaluation
X-Git-Tag: rc-8_18_0-3~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f099c2ca55652e1694188937808d77ebfe2f1df4;p=thirdparty%2Fcurl.git

apple sectrust: fix ancient evaluation

On versions before macOS 10.14, ios 12 and watchos 5, check the
evaluation code to return the error from evaluation.

Reported-by: Stanislav Fort
Closes #20074
---

diff --git a/lib/vtls/apple.c b/lib/vtls/apple.c
index 0b81e95e86..9779e11eaa 100644
--- a/lib/vtls/apple.c
+++ b/lib/vtls/apple.c
@@ -261,12 +261,17 @@ CURLcode Curl_vtls_apple_verify(struct Curl_cfilter *cf,
 
     if(status != noErr) {
       failf(data, "Apple SecTrust verification failed: error %i", (int)status);
+      result = CURLE_PEER_FAILED_VERIFICATION;
     }
     else if((sec_result == kSecTrustResultUnspecified) ||
             (sec_result == kSecTrustResultProceed)) {
       /* "unspecified" means system-trusted with no explicit user setting */
       result = CURLE_OK;
     }
+    else {
+      /* Any other trust result is a verification failure in this context */
+      result = CURLE_PEER_FAILED_VERIFICATION;
+    }
 #endif /* REQUIRES_SecTrustEvaluateWithError */
   }