]> git.ipfire.org Git - thirdparty/curl.git/commitdiff
projects / thirdparty / curl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fb61d76)
wolfssl: fix CA certificate multiple location import
authorJay Satiro <raysatiro@yahoo.com>
Wed, 19 Feb 2025 08:25:32 +0000 (03:25 -0500)
committerJay Satiro <raysatiro@yahoo.com>
Fri, 21 Feb 2025 08:11:50 +0000 (03:11 -0500)
- Do not set x509_store_setup until after all CA certificate imports.

- If CA blob import fails then return error unconditionally.

This is to sync the behavior with OpenSSL and other backends.

Prior to this change, setting CA native and/or CA blob were treated as
mutually exclusive from setting CA file and/or CA path.

CA blob import still overrides CA file import as documented.

Closes https://github.com/curl/curl/pull/16391

lib/vtls/wolfssl.c patch | blob | blame | history

diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index c9b1c8e5eceea8726372a1860cd2508256fb030c..52a86e7e514650fc9da9b2e3516bf25892194d1c 100644 (file)
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -514,6 +514,7 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
   const char * const ssl_capath = conn_config->CApath;
   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
   bool imported_native_ca = FALSE;
+  bool imported_ca_info_blob = FALSE;
 
 #if !defined(NO_FILESYSTEM) && defined(WOLFSSL_SYS_CA_CERTS)
   /* load native CA certificates */
@@ -524,7 +525,6 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
     else {
       imported_native_ca = TRUE;
       infof(data, "successfully imported native CA store");
-      wssl->x509_store_setup = TRUE;
     }
   }
 #endif /* !NO_FILESYSTEM */
@@ -535,17 +535,12 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
                                       (long)ca_info_blob->len,
                                       WOLFSSL_FILETYPE_PEM) !=
        WOLFSSL_SUCCESS) {
-      if(imported_native_ca) {
-        infof(data, "error importing CA certificate blob, continuing anyway");
-      }
-      else {
-        failf(data, "error importing CA certificate blob");
-        return CURLE_SSL_CACERT_BADFILE;
-      }
+      failf(data, "error importing CA certificate blob");
+      return CURLE_SSL_CACERT_BADFILE;
     }
     else {
+      imported_ca_info_blob = TRUE;
       infof(data, "successfully imported CA certificate blob");
-      wssl->x509_store_setup = TRUE;
     }
   }
 
@@ -557,14 +552,15 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
   if(!store)
     return CURLE_OUT_OF_MEMORY;
 
-  if((ssl_cafile || ssl_capath) && (!wssl->x509_store_setup)) {
+  if(ssl_cafile || ssl_capath) {
     int rc =
       wolfSSL_CTX_load_verify_locations_ex(wssl->ctx,
                                            ssl_cafile,
                                            ssl_capath,
                                            WOLFSSL_LOAD_FLAG_IGNORE_ERR);
     if(WOLFSSL_SUCCESS != rc) {
-      if(conn_config->verifypeer) {
+      if(conn_config->verifypeer &&
+         !imported_native_ca && !imported_ca_info_blob) {
         /* Fail if we insist on successfully verifying the server. */
         failf(data, "error setting certificate verify locations:"
               " CAfile: %s CApath: %s",
Mirror of https://github.com/curl/curl.git