luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wolfssl: fix CA certificate multiple location import

Browse Source 
- Do not set x509_store_setup until after all CA certificate imports.

- If CA blob import fails then return error unconditionally.

This is to sync the behavior with OpenSSL and other backends.

Prior to this change, setting CA native and/or CA blob were treated as
mutually exclusive from setting CA file and/or CA path.

CA blob import still overrides CA file import as documented.

Closes https://github.com/curl/curl/pull/16391
This commit is contained in:
Jay Satiro 2025-02-19 03:25:32 -05:00
parent fb61d76580
commit 210c0c088e
1 changed files with 7 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/vtls/wolfssl.c
View File

@ -514,6 +514,7 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
const char * const ssl_capath = conn_config->CApath; const char * const ssl_capath = conn_config->CApath;
struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
bool imported_native_ca = FALSE; bool imported_native_ca = FALSE;
bool imported_ca_info_blob = FALSE;
#if !defined(NO_FILESYSTEM) && defined(WOLFSSL_SYS_CA_CERTS) #if !defined(NO_FILESYSTEM) && defined(WOLFSSL_SYS_CA_CERTS)
/* load native CA certificates */ /* load native CA certificates */
@ -524,7 +525,6 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
else { else {
imported_native_ca = TRUE; imported_native_ca = TRUE;
infof(data, "successfully imported native CA store"); infof(data, "successfully imported native CA store");
wssl->x509_store_setup = TRUE;
} }
} }
#endif /* !NO_FILESYSTEM */ #endif /* !NO_FILESYSTEM */
@ -535,17 +535,12 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
(long)ca_info_blob->len, (long)ca_info_blob->len,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_FILETYPE_PEM) !=
WOLFSSL_SUCCESS) { WOLFSSL_SUCCESS) {
if(imported_native_ca) {
infof(data, "error importing CA certificate blob, continuing anyway");
}
else {
failf(data, "error importing CA certificate blob"); failf(data, "error importing CA certificate blob");
return CURLE_SSL_CACERT_BADFILE; return CURLE_SSL_CACERT_BADFILE;
} }
}
else { else {
imported_ca_info_blob = TRUE;
infof(data, "successfully imported CA certificate blob"); infof(data, "successfully imported CA certificate blob");
wssl->x509_store_setup = TRUE;
} }
} }
@ -557,14 +552,15 @@ static CURLcode wssl_populate_x509_store(struct Curl_cfilter *cf,
if(!store) if(!store)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
if((ssl_cafile || ssl_capath) && (!wssl->x509_store_setup)) { if(ssl_cafile || ssl_capath) {
int rc = int rc =
wolfSSL_CTX_load_verify_locations_ex(wssl->ctx, wolfSSL_CTX_load_verify_locations_ex(wssl->ctx,
ssl_cafile, ssl_cafile,
ssl_capath, ssl_capath,
WOLFSSL_LOAD_FLAG_IGNORE_ERR); WOLFSSL_LOAD_FLAG_IGNORE_ERR);
if(WOLFSSL_SUCCESS != rc) { if(WOLFSSL_SUCCESS != rc) {
if(conn_config->verifypeer) { if(conn_config->verifypeer &&
!imported_native_ca && !imported_ca_info_blob) {
/* Fail if we insist on successfully verifying the server. */ /* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:" failf(data, "error setting certificate verify locations:"
" CAfile: %s CApath: %s", " CAfile: %s CApath: %s",