wolfssl: fix CA certificate multiple location import

- Do not set x509_store_setup until after all CA certificate imports. - If CA blob import fails then return error unconditionally. This is to sync the behavior with OpenSSL and other backends. Prior to this change, setting CA native and/or CA blob were treated as mutually exclusive from setting CA file and/or CA path. CA blob import still overrides CA file import as documented. Closes https://github.com/curl/curl/pull/16391
2025-02-19 03:25:32 -05:00 · 2025-02-19 03:25:32 -05:00 · 210c0c088e
commit 210c0c088e
parent fb61d76580
1 changed files with 7 additions and 11 deletions
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@ -514,6 +514,7 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
  const char * const ssl_capath = conn_config->CApath;
  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
  bool imported_native_ca = FALSE;
+  bool imported_ca_info_blob = FALSE;

 #if !defined(NO_FILESYSTEM) && defined(WOLFSSL_SYS_CA_CERTS)
  /* load native CA certificates */
@ -524,7 +525,6 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
    else {
      imported_native_ca = TRUE;
      infof(data, "successfully imported native CA store");
-      wssl->x509_store_setup = TRUE;
    }
  }
 #endif /* !NO_FILESYSTEM */
@ -535,17 +535,12 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
                                      (long)ca_info_blob->len,
                                      WOLFSSL_FILETYPE_PEM) !=
       WOLFSSL_SUCCESS) {
-      if(imported_native_ca) {
-        infof(data, "error importing CA certificate blob, continuing anyway");
-      }
-      else {
-        failf(data, "error importing CA certificate blob");
-        return CURLE_SSL_CACERT_BADFILE;
-      }
+      failf(data, "error importing CA certificate blob");
+      return CURLE_SSL_CACERT_BADFILE;
    }
    else {
+      imported_ca_info_blob = TRUE;
      infof(data, "successfully imported CA certificate blob");
-      wssl->x509_store_setup = TRUE;
    }
  }

@ -557,14 +552,15 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
  if(!store)
    return CURLE_OUT_OF_MEMORY;

-  if((ssl_cafile || ssl_capath) && (!wssl->x509_store_setup)) {
+  if(ssl_cafile || ssl_capath) {
    int rc =
      wolfSSL_CTX_load_verify_locations_ex(wssl->ctx,
                                           ssl_cafile,
                                           ssl_capath,
                                           WOLFSSL_LOAD_FLAG_IGNORE_ERR);
    if(WOLFSSL_SUCCESS != rc) {
-      if(conn_config->verifypeer) {
+      if(conn_config->verifypeer &&
+         !imported_native_ca && !imported_ca_info_blob) {
        /* Fail if we insist on successfully verifying the server. */
        failf(data, "error setting certificate verify locations:"
              " CAfile: %s CApath: %s",