From: Daniel McCarney Date: Mon, 24 Mar 2025 16:43:22 +0000 (-0400) Subject: rustls: support native platform verifier X-Git-Tag: curl-8_13_0~47 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1821ea8b14fa10e3370627a36bcff994e3c58a1f;p=thirdparty%2Fcurl.git rustls: support native platform verifier e.g. `curl --ca-native ...` --- diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c index e73e867917..0f07e8e215 100644 --- a/lib/vtls/rustls.c +++ b/lib/vtls/rustls.c @@ -796,6 +796,32 @@ cleanup: return result; } +static CURLcode +init_config_builder_platform_verifier( + struct Curl_easy *data, + struct rustls_client_config_builder *builder) +{ + struct rustls_server_cert_verifier *server_cert_verifier = NULL; + CURLcode result = CURLE_OK; + rustls_result rr; + + rr = rustls_platform_server_cert_verifier(&server_cert_verifier); + if(rr != RUSTLS_RESULT_OK) { + rustls_failf(data, rr, "failed to create platform certificate verifier"); + result = CURLE_SSL_CACERT_BADFILE; + goto cleanup; + } + + rustls_client_config_builder_set_server_verifier(builder, + server_cert_verifier); + +cleanup: + if(server_cert_verifier) { + rustls_server_cert_verifier_free(server_cert_verifier); + } + return result; +} + static CURLcode init_config_builder_keylog(struct Curl_easy *data, struct rustls_client_config_builder *builder) @@ -1025,6 +1051,13 @@ cr_init_backend(struct Curl_cfilter *cf, struct Curl_easy *data, rustls_client_config_builder_dangerous_set_certificate_verifier( config_builder, cr_verify_none); } + else if(ssl_config->native_ca_store) { + result = init_config_builder_platform_verifier(data, config_builder); + if(result != CURLE_OK) { + rustls_client_config_builder_free(config_builder); + return result; + } + } else if(ca_info_blob || ssl_cafile) { result = init_config_builder_verifier(data, config_builder,