address copilot, fenrir, and internal review

aidangarske · aidangarske · commit b8f8a10ef9ed · 2026-04-03T10:54:43.000-07:00
- Copilot: privkey double-free — Fixed: added privkey = NULL after mid-function free at line 454 - Copilot: ForceZero NULL guard in OCSP — Fixed: added if (signerKeyDer != NULL && signerKeyDerSz > 0) guard - Copilot: ForceZero on key buffers in GenChimeraCertSign — Fixed: added ForceZero on caKeyBuf, altCaKeyBuf, serverKeyBuf before XFREE - Fenrir: pkey vs privkey — No change needed: pkey is a borrowed ref from X509_get0_pubkey, not owned by caller. Removing the free was correct. - Fenrir: Missing ForceZero on heap key buffers — Same as Copilot #3, addressed above - CI: switch-enum errors — Fixed: removed inner #ifdef guards on enum cases that always exist, added SM3 under #ifdef WOLFSSL_SM3, removed WC_HASH_TYPE_MAX (duplicate value) - CI: heap-buffer-overflow in strstr — Fixed: allocate inBufSz + 1 and null-terminate for XSTRSTR safety - CI: heap-use-after-free — Fixed by the privkey NULL fix above
diff --git a/src/ocsp/clu_ocsp.c b/src/ocsp/clu_ocsp.c
@@ -884,7 +884,8 @@ static int ocspResponder(OcspResponderConfig* config)
     freeIndexEntries(indexEntries);
     XFREE(caCertDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(signerCertDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    wolfCLU_ForceZero(signerKeyDer, signerKeyDerSz);
+    if (signerKeyDer != NULL && signerKeyDerSz > 0)
+        wolfCLU_ForceZero(signerKeyDer, signerKeyDerSz);
     XFREE(signerKeyDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(caSubject, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
 
diff --git a/src/x509/clu_cert_setup.c b/src/x509/clu_cert_setup.c
@@ -326,12 +326,13 @@ int wolfCLU_certSetup(int argc, char** argv)
             ret = WOLFCLU_FATAL_ERROR;
         }
         else {
-            inBufRaw = (byte*)XMALLOC(inBufSz, HEAP_HINT,
+            inBufRaw = (byte*)XMALLOC(inBufSz + 1, HEAP_HINT,
                                       DYNAMIC_TYPE_TMP_BUFFER);
             if (inBufRaw == NULL) {
                 ret = WOLFCLU_FATAL_ERROR;
             }
             else {
+                inBufRaw[inBufSz] = '\0';
                 if (wolfSSL_BIO_read(inMem, inBufRaw, inBufSz) != inBufSz) {
                     wolfCLU_LogError("Failed to read input.");
                     ret = WOLFCLU_FATAL_ERROR;
@@ -452,6 +453,7 @@ int wolfCLU_certSetup(int argc, char** argv)
             }
         }
         wolfSSL_EVP_PKEY_free(privkey);
+        privkey = NULL;
     }
 
     /* try to open output file if set */
@@ -749,10 +751,14 @@ int wolfCLU_certSetup(int argc, char** argv)
         }
         else {
             if (wolfSSL_EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
-                    const WOLFSSL_BIGNUM *num;
+                    const WOLFSSL_BIGNUM *num = NULL;
+                    WOLFSSL_RSA *rsa;
                     char *hex;
 
-                    wolfSSL_RSA_get0_key(EVP_PKEY_get0_RSA(pkey), &num, NULL, NULL);
+                    rsa = EVP_PKEY_get0_RSA(pkey);
+                    if (rsa != NULL) {
+                        wolfSSL_RSA_get0_key(rsa, &num, NULL, NULL);
+                    }
                     hex = wolfSSL_BN_bn2hex(num);
 
                     if (hex != NULL) {
diff --git a/src/x509/clu_x509_sign.c b/src/x509/clu_x509_sign.c
@@ -925,6 +925,12 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
         wolfSSL_BIO_free(out);
     }
 
+    if (caKeyBuf != NULL)
+        wolfCLU_ForceZero(caKeyBuf, LARGE_TEMP_SZ);
+    if (altCaKeyBuf != NULL)
+        wolfCLU_ForceZero(altCaKeyBuf, LARGE_TEMP_SZ);
+    if (serverKeyBuf != NULL)
+        wolfCLU_ForceZero(serverKeyBuf, LARGE_TEMP_SZ);
     XFREE(caKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(altCaKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(sapkiBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
@@ -1270,64 +1276,32 @@ int wolfCLU_CertSign(WOLFCLU_CERT_SIGN* csign, WOLFSSL_X509* x509)
 
     /* set hash for signature */
     if (ret == WOLFCLU_SUCCESS) {
-        switch (csign->hashType) {
-            case WC_HASH_TYPE_MD5:
-            #ifndef NO_MD5
-                md  = wolfSSL_EVP_md5();
-            #else
-                wolfCLU_LogError("MD5 not compiled in");
-                ret = WOLFCLU_FATAL_ERROR;
-            #endif
-                break;
-
-            case WC_HASH_TYPE_SHA:
-                md  = wolfSSL_EVP_sha1();
-                break;
-
-            case WC_HASH_TYPE_SHA224:
-                md  = wolfSSL_EVP_sha224();
-                break;
-
-            case WC_HASH_TYPE_SHA256:
-                md  = wolfSSL_EVP_sha256();
-                break;
-
-            case WC_HASH_TYPE_SHA384:
-                md  = wolfSSL_EVP_sha384();
-                break;
-
-            case WC_HASH_TYPE_SHA512:
-                md  = wolfSSL_EVP_sha512();
-                break;
-
-            case WC_HASH_TYPE_NONE:
-            case WC_HASH_TYPE_MD2:
-            case WC_HASH_TYPE_MD4:
-            case WC_HASH_TYPE_MD5_SHA:
-            case WC_HASH_TYPE_SHA3_224:
-            case WC_HASH_TYPE_SHA3_256:
-            case WC_HASH_TYPE_SHA3_384:
-            case WC_HASH_TYPE_SHA3_512:
-            case WC_HASH_TYPE_BLAKE2B:
-            case WC_HASH_TYPE_BLAKE2S:
-
-    #if LIBWOLFSSL_VERSION_HEX > 0x05001000
-        #ifndef WOLFSSL_NOSHA512_224
-            case WC_HASH_TYPE_SHA512_224:
-        #endif
-        #ifndef WOLFSSL_NOSHA512_256
-            case WC_HASH_TYPE_SHA512_256:
-        #endif
-        #ifdef WOLFSSL_SHAKE128
-            case WC_HASH_TYPE_SHAKE128:
-        #endif
-        #ifdef WOLFSSL_SHAKE256
-            case WC_HASH_TYPE_SHAKE256:
+        if (csign->hashType == WC_HASH_TYPE_MD5) {
+        #ifndef NO_MD5
+            md = wolfSSL_EVP_md5();
+        #else
+            wolfCLU_LogError("MD5 not compiled in");
+            ret = WOLFCLU_FATAL_ERROR;
         #endif
-    #endif
-            default:
-                wolfCLU_LogError("Unsupported hash type");
-                ret = WOLFCLU_FATAL_ERROR;
+        }
+        else if (csign->hashType == WC_HASH_TYPE_SHA) {
+            md = wolfSSL_EVP_sha1();
+        }
+        else if (csign->hashType == WC_HASH_TYPE_SHA224) {
+            md = wolfSSL_EVP_sha224();
+        }
+        else if (csign->hashType == WC_HASH_TYPE_SHA256) {
+            md = wolfSSL_EVP_sha256();
+        }
+        else if (csign->hashType == WC_HASH_TYPE_SHA384) {
+            md = wolfSSL_EVP_sha384();
+        }
+        else if (csign->hashType == WC_HASH_TYPE_SHA512) {
+            md = wolfSSL_EVP_sha512();
+        }
+        else {
+            wolfCLU_LogError("Unsupported hash type");
+            ret = WOLFCLU_FATAL_ERROR;
         }
     }
 
