wolfSSL: support WOLFSSL_TRUST_FILE as default trust store

...because wolfSSL 5.0.0 does not support a default trust store, unlike
OpenSSL.

3 files changed, 52 insertions, 5 deletions

diff --git a/INSTALL b/INSTALL
index 0fb7aca1..32f27233 100644
--- a/INSTALL
+++ b/INSTALL
@@ -51,6 +51,8 @@ with all OpenSSL APIs (as of 5.0.0):
 	./configure --enable-opensslall --enable-harden
 	make && make test && make install
 
+fetchmail's configure option --with-wolfssl takes precedence over --with-ssl.
+
 1.2 gettext (internationalization)
 
 Internationalization of fetchmail requires GNU gettext (libintl and
@@ -89,7 +91,21 @@ configure option '--with-included-gettext'.
 
 Installing fetchmail is easy.  From within this directory, type:
 
-	./configure
+When using OpenSSL:
+
+  ./configure
+
+When using wolfSSL (adjust the location, see below):
+
+  ./configure --with-wolfssl \
+  WOLFSSL_TRUST_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+
+Here, you need to adjust the file path according to where your ca_cert_nss or
+ca-certificates package installs the default trust bundle in PEM format with
+BEGIN CERTIFICATE lines. Some typical locations as of 2021 are:
+on Fedora Linux:  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+on Debian/Ubuntu: /etc/ssl/certs/ca-certificates.crt
+on FreeBSD:       /usr/local/share/certs/ca-root-nss.crt
 
 The autoconfiguration script will spend a bit of time figuring out the
 specifics of your system.  If you want to specify a particular compiler
diff --git a/configure.ac b/configure.ac
index 14d8c8ab..533bb05c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -760,6 +760,11 @@ if test "$with_wolfssl" != "no" ; then
 	AC_DEFINE(SSL_ENABLE, 1)
 	AS_MESSAGE(Enabling SSL support through wolfSSL.)
 	with_ssl=yes
+	if test -z "$WOLFSSL_TRUST_FILE" ; then
+		AC_MSG_ERROR([You must define WOLFSSL_TRUST_FILE and point it to the default CA certificate file (PEM format)])
+	fi
+	AC_DEFINE_UNQUOTED(WOLFSSL_TRUST_FILE, "$WOLFSSL_TRUST_FILE",
+			   [Set to the default file of trusted certificates.])
 else
 
 ###	use option --with-ssl to compile in the SSL support
diff --git a/socket.c b/socket.c
index 6fee32ea..eb532655 100644
--- a/socket.c
+++ b/socket.c
@@ -1178,17 +1178,43 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 	{
 		char *tmp;
 		int want_default_cacerts = 0;
+		int r = 1;
+		const char *l1 = 0, *l2 = 0;
 
 		/* Load user locations if any is given */
-		if (certpath || cacertfile)
-			SSL_CTX_load_verify_locations(_ctx[sock],
+		if (certpath || cacertfile) {
+			l1 = cacertfile;
+			l2 = certpath;
+			r = SSL_CTX_load_verify_locations(_ctx[sock],
 						cacertfile, certpath);
-		else
+			if (1 != r) goto no_verify_load;
+		} else {
 			want_default_cacerts = 1;
+		}
 
 		tmp = getenv("FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS");
 		if (want_default_cacerts || (tmp && tmp[0])) {
-			SSL_CTX_set_default_verify_paths(_ctx[sock]);
+#ifdef USING_WOLFSSL
+			/* wolfSSL 5.0.0 does not implement
+			 * SSL_CTX_set_default_verify_paths(). Use something
+			 * else: */
+			const char *tmp = WOLFSSL_TRUST_FILE;
+			l1 = tmp; l2=NULL;
+			if (*tmp)
+				r = SSL_CTX_load_verify_locations(_ctx[sock],
+						tmp, NULL);
+#else
+			r = SSL_CTX_set_default_verify_paths(_ctx[sock]);
+			if (1 != r) goto no_verify_load;
+#endif
+		}
+
+		if (1 != r) {
+no_verify_load:
+			report(stderr, GT_("Cannot load verify locations (file=\"%s\", dir=\"%s\"), error %d:\n"),
+					l1?l1:"(null)", l2?l2:"(null)", r);
+			ERR_print_errors_fp(stderr);
+			return -1;
 		}
 	}