Merge pull request wolfSSL#6895 from bigbrett/ios-ca-api

Fix WOLFSSL_SYS_CA_CERTS bug on Apple devices
miyazakh · Oct 23, 2023 · 1de0488 · 1de0488
2 parents 9db828a + 2387579
commit 1de0488
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/src/internal.c b/src/internal.c
@@ -14223,7 +14223,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     /* If we are using native Apple CA validation, it is okay
                      * for a CA cert to fail validation here, as we will verify
                      * the entire chain when we hit the peer (leaf) cert */
-                    if (ssl->ctx->doAppleNativeCertValidationFlag) {
+                    if ((ssl->ctx->doAppleNativeCertValidationFlag)
+                        && (ret == ASN_NO_SIGNER_E)) {
+
                         WOLFSSL_MSG("Bypassing errors to allow for Apple native"
                                     " CA validation");
                         ret = 0; /* clear errors and continue */

diff --git a/src/ssl.c b/src/ssl.c
@@ -8576,6 +8576,12 @@ int wolfSSL_CTX_load_system_CA_certs(WOLFSSL_CTX* ctx)
     ctx->doAppleNativeCertValidationFlag = 1;
     ret = WOLFSSL_SUCCESS;
     loaded = 1;
+
+#if FIPS_VERSION_GE(2,0) /* Gate back to cert 3389 FIPS modules */
+#warning "Cryptographic operations may occur outside the FIPS module boundary" \
+         "Please review FIPS claims for cryptography on this Apple device"
+#endif /* FIPS_VERSION_GE(2,0) */
+
 #else
 /* HAVE_SECURITY_SECXXX_H macros are set by autotools or CMake when searching
  * system for the required SDK headers. If building with user_settings.h, you