From: Jay Satiro <raysatiro@yahoo.com>
Date: Wed, 19 Feb 2025 08:25:32 +0000 (-0500)
Subject: wolfssl: fix CA certificate multiple location import
X-Git-Tag: curl-8_13_0~410
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=210c0c088ecac3c4c843e67296facc62c05b8ae6;p=thirdparty%2Fcurl.git

wolfssl: fix CA certificate multiple location import

- Do not set x509_store_setup until after all CA certificate imports.

- If CA blob import fails then return error unconditionally.

This is to sync the behavior with OpenSSL and other backends.

Prior to this change, setting CA native and/or CA blob were treated as
mutually exclusive from setting CA file and/or CA path.

CA blob import still overrides CA file import as documented.

Closes https://github.com/curl/curl/pull/16391
---

diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index c9b1c8e5ec..52a86e7e51 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -514,6 +514,7 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
   const char * const ssl_capath = conn_config->CApath;
   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
   bool imported_native_ca = FALSE;
+  bool imported_ca_info_blob = FALSE;
 
 #if !defined(NO_FILESYSTEM) && defined(WOLFSSL_SYS_CA_CERTS)
   /* load native CA certificates */
@@ -524,7 +525,6 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
     else {
       imported_native_ca = TRUE;
       infof(data, "successfully imported native CA store");
-      wssl->x509_store_setup = TRUE;
     }
   }
 #endif /* !NO_FILESYSTEM */
@@ -535,17 +535,12 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
                                       (long)ca_info_blob->len,
                                       WOLFSSL_FILETYPE_PEM) !=
        WOLFSSL_SUCCESS) {
-      if(imported_native_ca) {
-        infof(data, "error importing CA certificate blob, continuing anyway");
-      }
-      else {
-        failf(data, "error importing CA certificate blob");
-        return CURLE_SSL_CACERT_BADFILE;
-      }
+      failf(data, "error importing CA certificate blob");
+      return CURLE_SSL_CACERT_BADFILE;
     }
     else {
+      imported_ca_info_blob = TRUE;
       infof(data, "successfully imported CA certificate blob");
-      wssl->x509_store_setup = TRUE;
     }
   }
 
@@ -557,14 +552,15 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
   if(!store)
     return CURLE_OUT_OF_MEMORY;
 
-  if((ssl_cafile || ssl_capath) && (!wssl->x509_store_setup)) {
+  if(ssl_cafile || ssl_capath) {
     int rc =
       wolfSSL_CTX_load_verify_locations_ex(wssl->ctx,
                                            ssl_cafile,
                                            ssl_capath,
                                            WOLFSSL_LOAD_FLAG_IGNORE_ERR);
     if(WOLFSSL_SUCCESS != rc) {
-      if(conn_config->verifypeer) {
+      if(conn_config->verifypeer &&
+         !imported_native_ca && !imported_ca_info_blob) {
         /* Fail if we insist on successfully verifying the server. */
         failf(data, "error setting certificate verify locations:"
               " CAfile: %s CApath: %s",