From 8420fef5904efbf08aae8658d65d2e61bc6ee3e3 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 19 Sep 2023 10:53:44 +0200
Subject: [PATCH] wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files

Ref: #11883
Reported-by: Michael Osipov
Closes #11884
---
 lib/vtls/wolfssl.c | 56 ++++++++++++++++++++++++----------------------
 1 file changed, 29 insertions(+), 27 deletions(-)

diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 5f15720742..3c2058c763 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -541,37 +541,39 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
   }
 
 #ifndef NO_FILESYSTEM
-  /* load trusted cacert */
-  if(conn_config->CAfile) {
-    if(1 != wolfSSL_CTX_load_verify_locations(backend->ctx,
-                                              conn_config->CAfile,
-                                              conn_config->CApath)) {
-      if(conn_config->verifypeer && !imported_ca_info_blob &&
-         !imported_native_ca) {
-        /* Fail if we insist on successfully verifying the server. */
-        failf(data, "error setting certificate verify locations:"
-              " CAfile: %s CApath: %s",
-              conn_config->CAfile?
-              conn_config->CAfile: "none",
-              conn_config->CApath?
-              conn_config->CApath : "none");
-        return CURLE_SSL_CACERT_BADFILE;
+  else {
+  /* load trusted cacert from file if not blob */
+    if(conn_config->CAfile || conn_config->CApath) {
+      if(1 != wolfSSL_CTX_load_verify_locations(backend->ctx,
+                                                conn_config->CAfile,
+                                                conn_config->CApath)) {
+        if(conn_config->verifypeer && !imported_ca_info_blob &&
+           !imported_native_ca) {
+          /* Fail if we insist on successfully verifying the server. */
+          failf(data, "error setting certificate verify locations:"
+                " CAfile: %s CApath: %s",
+                conn_config->CAfile?
+                conn_config->CAfile: "none",
+                conn_config->CApath?
+                conn_config->CApath : "none");
+          return CURLE_SSL_CACERT_BADFILE;
+        }
+        else {
+          /* Just continue with a warning if no strict certificate
+             verification is required. */
+          infof(data, "error setting certificate verify locations,"
+                " continuing anyway:");
+        }
       }
       else {
-        /* Just continue with a warning if no strict certificate
-           verification is required. */
-        infof(data, "error setting certificate verify locations,"
-              " continuing anyway:");
+        /* Everything is fine. */
+        infof(data, "successfully set certificate verify locations:");
       }
+      infof(data, " CAfile: %s",
+            conn_config->CAfile ? conn_config->CAfile : "none");
+      infof(data, " CApath: %s",
+            conn_config->CApath ? conn_config->CApath : "none");
     }
-    else {
-      /* Everything is fine. */
-      infof(data, "successfully set certificate verify locations:");
-    }
-    infof(data, " CAfile: %s",
-          conn_config->CAfile ? conn_config->CAfile : "none");
-    infof(data, " CApath: %s",
-          conn_config->CApath ? conn_config->CApath : "none");
   }
 
   /* Load the client certificate, and private key */
-- 
2.47.3