address copilot, fenrir, and internal review

- Copilot: privkey double-free — Fixed: added privkey = NULL after mid-function free at line 454
- Copilot: ForceZero NULL guard in OCSP — Fixed: added if (signerKeyDer != NULL && signerKeyDerSz > 0) guard
- Copilot: ForceZero on key buffers in GenChimeraCertSign — Fixed: added ForceZero on caKeyBuf, altCaKeyBuf, serverKeyBuf before XFREE
- Fenrir: pkey vs privkey — No change needed: pkey is a borrowed ref from X509_get0_pubkey, not owned by caller. Removing the free was correct.
- Fenrir: Missing ForceZero on heap key buffers — Same as Copilot #3, addressed above
- CI: switch-enum errors — Fixed: removed inner #ifdef guards on enum cases that always exist, added SM3 under #ifdef WOLFSSL_SM3, removed
WC_HASH_TYPE_MAX (duplicate value)
- CI: heap-buffer-overflow in strstr — Fixed: allocate inBufSz + 1 and null-terminate for XSTRSTR safety
- CI: heap-use-after-free — Fixed by the privkey NULL fix above

Author: aidangarske

src/ocsp/clu_ocsp.c

@@ -884,7 +884,8 @@ static int ocspResponder(OcspResponderConfig* config)
     freeIndexEntries(indexEntries);
     XFREE(caCertDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(signerCertDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    wolfCLU_ForceZero(signerKeyDer, signerKeyDerSz);
+    if (signerKeyDer != NULL && signerKeyDerSz > 0)
+        wolfCLU_ForceZero(signerKeyDer, signerKeyDerSz);
     XFREE(signerKeyDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(caSubject, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
 

src/x509/clu_cert_setup.c

@@ -326,12 +326,13 @@ int wolfCLU_certSetup(int argc, char** argv)
             ret = WOLFCLU_FATAL_ERROR;
         }
         else {
-            inBufRaw = (byte*)XMALLOC(inBufSz, HEAP_HINT,
+            inBufRaw = (byte*)XMALLOC(inBufSz + 1, HEAP_HINT,
                                       DYNAMIC_TYPE_TMP_BUFFER);
             if (inBufRaw == NULL) {
                 ret = WOLFCLU_FATAL_ERROR;
             }
             else {
+                inBufRaw[inBufSz] = '\0';
                 if (wolfSSL_BIO_read(inMem, inBufRaw, inBufSz) != inBufSz) {
                     wolfCLU_LogError("Failed to read input.");
                     ret = WOLFCLU_FATAL_ERROR;
@@ -452,6 +453,7 @@ int wolfCLU_certSetup(int argc, char** argv)
             }
         }
         wolfSSL_EVP_PKEY_free(privkey);
+        privkey = NULL;
     }
 
     /* try to open output file if set */

src/x509/clu_x509_sign.c

@@ -925,6 +925,12 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
         wolfSSL_BIO_free(out);
     }
 
+    if (caKeyBuf != NULL)
+        wolfCLU_ForceZero(caKeyBuf, LARGE_TEMP_SZ);
+    if (altCaKeyBuf != NULL)
+        wolfCLU_ForceZero(altCaKeyBuf, LARGE_TEMP_SZ);
+    if (serverKeyBuf != NULL)
+        wolfCLU_ForceZero(serverKeyBuf, LARGE_TEMP_SZ);
     XFREE(caKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(altCaKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(sapkiBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
@@ -1312,17 +1318,12 @@ int wolfCLU_CertSign(WOLFCLU_CERT_SIGN* csign, WOLFSSL_X509* x509)
             case WC_HASH_TYPE_BLAKE2S:
 
     #if LIBWOLFSSL_VERSION_HEX > 0x05001000
-        #ifndef WOLFSSL_NOSHA512_224
             case WC_HASH_TYPE_SHA512_224:
-        #endif
-        #ifndef WOLFSSL_NOSHA512_256
             case WC_HASH_TYPE_SHA512_256:
-        #endif
-        #ifdef WOLFSSL_SHAKE128
             case WC_HASH_TYPE_SHAKE128:
-        #endif
-        #ifdef WOLFSSL_SHAKE256
             case WC_HASH_TYPE_SHAKE256:
+        #ifdef WOLFSSL_SM3
+            case WC_HASH_TYPE_SM3:
         #endif
     #endif
             default: