Require the keyCertSign key usage on non-root intermediate CAs added during
path building when a KeyUsage extension is present, per RFC 5280. Adds a
regression test.
Robustness fixes in the OpenSSL-compatibility certificate verifier, independent
of the depth-exhaustion fix:
- Fail closed on allocation failure. When the failedCerts working stack could
not be allocated, the function fell through to exit with ret still set to
WOLFSSL_SUCCESS and reported the chain as verified without checking anything
(a fail-open regression from the leak fix that turned the early return into a
goto exit). Also check the ctx->chain allocation. Both now set an error.
- Remove caller-supplied intermediates from the correct stack. The intermediates
appended to the working cert list during chain building were popped from
ctx->store->certs by count, but they are appended to whichever stack is in use
- which may be the caller's setTrustedSk (X509_STORE_CTX_set0_trusted_stack).
Remove them by pointer identity from that same stack, recomputed from
ctxIntermediates. Identity removal also survives the chain-building retries
that reorder the stack, where a positional pop could drop a legitimate trusted
entry and leave an injected intermediate behind - which a later verification
reusing the store/ctx would then snapshot as a trust anchor. The removal helper
walks the list once (O(n)) rather than indexing per position.
- NULL-guard ctx->store->param before dereferencing its flags in the
partial-chain check.
Add regression tests covering: the trusted stack being restored after
verification, and the retry path (tampered plus genuine same-subject
intermediates, both orderings) leaving the store clean for later use.
Fail compatibility-layer verification when the path-building loop runs
out of its depth budget before reaching a configured trust anchor,
instead of accepting the last verified link. Add a regression test.
Ensure caller-supplied intermediate certificates cannot terminate the
chain during compatibility-layer verification; a path must reach a
configured trust anchor. Add a regression test and supporting certs.
crl.c, internal.h: leak of sigParams requiring reorder the struct fields to that it is above memcpy part.
dtl13.c: free the DRLS fragments buffer in Dtls13FreeFsmResources in case fragment is never sent.
ocsp.c: only free cid if locally allocated.
tls.c: make sure ecc_kse is zeroized and can be freed.
tls13.c: set hsHashesEch after init so isn't lost on failure.
evp_pk.c: free key on the BIO error path
Fixed various tests to not leak or crash on memory allocation failure.
When an untrusted issuer has CA:FALSE and no verify_cb is registered,
the !isCa branch now fails closed (ret=WOLFSSL_FAILURE, goto exit)
instead of falling through and skipping X509StoreVerifyCert for the
leaf. SetupStoreCtxError_ex is also hardened to never overwrite a
previously recorded error with success, preventing a later valid chain
link from clobbering ctx->error back to X509_V_OK. Tests added for
both the no-callback rejection and the error-preservation cases.
Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
Move EC and RSA code out of pk.c into separate file.
Move out of ssl.c into separate files:
- Certificate APIs
- CRL/OCSP APIs
- Public Key APIs
- ECH
Internal Certificate Manager APIs pulled out into ssl_certman.c.
d2i and i2d WOLFSSL_EVP_PKEY APIs pulled out into evp_pk.c.
Fix formatting.