diff options
| author | Florian Van Heghe <florian.van.heghe@guardsquare.com> | 2021-11-29 15:22:33 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2021-11-30 16:19:46 +0100 |
| commit | 8443f975c0509595515d39532527c8c3e7e7313e (patch) | |
| tree | efa254e5b68f28e8472a5ea59028a3024dabece3 | |
| parent | aae235b6ba92662a6fb7b459614f7ee2e290ae17 (diff) | |
| download | curl-8443f975c0509595515d39532527c8c3e7e7313e.tar.gz | |
mbedTLS: add support for CURLOPT_CAINFO_BLOB
Closes #8071
| -rw-r--r-- | docs/libcurl/opts/CURLOPT_CAINFO_BLOB.3 | 2 | ||||
| -rw-r--r-- | lib/vtls/mbedtls.c | 21 |
2 files changed, 21 insertions, 2 deletions
diff --git a/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.3 b/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.3 index 72923e812..777b2e336 100644 --- a/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.3 +++ b/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.3 @@ -61,7 +61,7 @@ if(curl) { .SH AVAILABILITY Added in 7.77.0. -This option is supported by the BearSSL (since 7.79.0), +This option is supported by the BearSSL (since 7.79.0), mbedTLS (since 7.81.0), OpenSSL, Secure Transport and Schannel backends. .SH RETURN VALUE Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 08c79e162..ba5c5d756 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -270,7 +270,10 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; - const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); + const struct curl_blob *ca_info_blob = SSL_CONN_CONFIG(ca_info_blob); + const char * const ssl_cafile = + /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */ + (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); const bool verifypeer = SSL_CONN_CONFIG(verifypeer); const char * const ssl_capath = SSL_CONN_CONFIG(CApath); char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); @@ -316,6 +319,21 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, /* Load the trusted CA */ mbedtls_x509_crt_init(&backend->cacert); + if(ca_info_blob) { + const unsigned char *blob_data = (const unsigned char *)ca_info_blob->data; + ret = mbedtls_x509_crt_parse(&backend->cacert, blob_data, + ca_info_blob->len); + + if(ret<0) { + mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); + failf(data, "Error importing ca cert blob %s - mbedTLS: (-0x%04X) %s", + ca_info_blob, -ret, errorbuf); + + if(verifypeer) + return ret; + } + } + if(ssl_cafile) { ret = mbedtls_x509_crt_parse_file(&backend->cacert, ssl_cafile); @@ -1154,6 +1172,7 @@ const struct Curl_ssl Curl_ssl_mbedtls = { { CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */ SSLSUPP_CA_PATH | + SSLSUPP_CAINFO_BLOB | SSLSUPP_PINNEDPUBKEY | SSLSUPP_SSL_CTX, |