wolfSSL · JacobBarthelmeh · Jun 27, 2024 · Jun 27, 2024
diff --git a/src/crl.c b/src/crl.c
@@ -121,7 +121,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
     wolfSSL_d2i_X509_NAME(&crle->issuer, (unsigned char**)&dcrl->issuer,
                           dcrl->issuerSz);
     if (crle->issuer == NULL) {
-        return WOLFSSL_FAILURE;
+        return -1;
     }
 #endif
 #ifdef CRL_STATIC_REVOKED_LIST

diff --git a/src/internal.c b/src/internal.c
@@ -13495,6 +13495,9 @@ int SetupStoreCtxCallback(WOLFSSL_X509_STORE_CTX** store_pt,
                 store->current_cert = x509;
                 *x509Free = 1;
             }
+            else {
+                goto mem_error;
+            }
         }
 #endif
 #ifdef SESSION_CERTS

diff --git a/src/ssl.c b/src/ssl.c
@@ -5437,24 +5437,9 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
         if (!signer)
             ret = MEMORY_ERROR;
     }
-#if defined(WOLFSSL_AKID_NAME) || defined(HAVE_CRL)
-    if (ret == 0 && signer != NULL)
-        ret = CalcHashId(cert->serial, cert->serialSz, signer->serialHash);
-#endif
-    if (ret == 0 && signer != NULL) {
-    #ifdef WOLFSSL_SIGNER_DER_CERT
-        ret = AllocDer(&signer->derCert, der->length, der->type, NULL);
-    }
-    if (ret == 0 && signer != NULL) {
-        XMEMCPY(signer->derCert->buffer, der->buffer, der->length);
-    #endif
-        signer->keyOID         = cert->keyOID;
-        if (cert->pubKeyStored) {
-            signer->publicKey      = cert->publicKey;
-            signer->pubKeySize     = cert->pubKeySize;
-        }
 
 #ifdef WOLFSSL_DUAL_ALG_CERTS
+    if (ret == 0 && signer != NULL) {
         if (cert->extSapkiSet && cert->sapkiLen > 0) {
             /* Allocated space for alternative public key. */
             signer->sapkiDer = (byte*)XMALLOC(cert->sapkiLen, cm->heap,
@@ -5468,8 +5453,26 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
                 signer->sapkiOID = cert->sapkiOID;
             }
         }
+    }
 #endif /* WOLFSSL_DUAL_ALG_CERTS */
 
+#if defined(WOLFSSL_AKID_NAME) || defined(HAVE_CRL)
+    if (ret == 0 && signer != NULL)
+        ret = CalcHashId(cert->serial, cert->serialSz, signer->serialHash);
+#endif
+    if (ret == 0 && signer != NULL) {
+    #ifdef WOLFSSL_SIGNER_DER_CERT
+        ret = AllocDer(&signer->derCert, der->length, der->type, NULL);
+    }
+    if (ret == 0 && signer != NULL) {
+        XMEMCPY(signer->derCert->buffer, der->buffer, der->length);
+    #endif
+        signer->keyOID         = cert->keyOID;
+        if (cert->pubKeyStored) {
+            signer->publicKey      = cert->publicKey;
+            signer->pubKeySize     = cert->pubKeySize;
+        }
+
         if (cert->subjectCNStored) {
             signer->nameLen        = cert->subjectCNLen;
             signer->name           = cert->subjectCN;

diff --git a/src/ssl_load.c b/src/ssl_load.c
@@ -5202,6 +5202,8 @@ static int wolfssl_set_tmp_dh(WOLFSSL* ssl, unsigned char* p, int pSz,
 
     /* Allocate space for cipher suites. */
     if ((ret == 1) && (AllocateSuites(ssl) != 0)) {
+        ssl->buffers.serverDH_P.buffer = NULL;
+        ssl->buffers.serverDH_G.buffer = NULL;
         ret = 0;
     }
     if (ret == 1) {
@@ -5249,8 +5251,6 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
         pAlloc = (byte*)XMALLOC(pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
         gAlloc = (byte*)XMALLOC(gSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
         if ((pAlloc == NULL) || (gAlloc == NULL)) {
-            XFREE(pAlloc, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
-            XFREE(gAlloc, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
             ret = MEMORY_E;
         }
     }

diff --git a/src/tls13.c b/src/tls13.c
@@ -9691,6 +9691,7 @@ static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
 }
 
 #ifdef WOLFSSL_DUAL_ALG_CERTS
+#ifndef NO_RSA
 /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
  * RSA public key. Convert it into a usable public key. */
 static int decodeRsaKey(WOLFSSL* ssl)
@@ -9714,7 +9715,9 @@ static int decodeRsaKey(WOLFSSL* ssl)
 
     return 0;
 }
+#endif /* !NO_RSA */
 
+#ifdef HAVE_ECC
 /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
  * ECC public key. Convert it into a usable public key. */
 static int decodeEccKey(WOLFSSL* ssl)
@@ -9738,7 +9741,9 @@ static int decodeEccKey(WOLFSSL* ssl)
 
     return 0;
 }
+#endif /* HAVE_ECC */
 
+#ifdef HAVE_DILITHIUM
 /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
  * dilithium public key. Convert it into a usable public key. */
 static int decodeDilithiumKey(WOLFSSL* ssl, int level)
@@ -9767,7 +9772,9 @@ static int decodeDilithiumKey(WOLFSSL* ssl, int level)
 
     return 0;
 }
+#endif /* HAVE_DILITHIUM */
 
+#ifdef HAVE_FALCON
 /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
  * falcon public key. Convert it into a usable public key. */
 static int decodeFalconKey(WOLFSSL* ssl, int level)
@@ -9795,6 +9802,7 @@ static int decodeFalconKey(WOLFSSL* ssl, int level)
 
     return 0;
 }
+#endif /* HAVE_FALCON */
 #endif /* WOLFSSL_DUAL_ALG_CERTS */
 
 /* handle processing TLS v1.3 certificate_verify (15) */
@@ -9947,12 +9955,17 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                     sa = args->altSigAlgo;
 
                 switch(sa) {
+            #ifndef NO_RSA
                 case rsa_pss_sa_algo:
                     ret = decodeRsaKey(ssl);
                     break;
+            #endif
+            #ifdef HAVE_ECC
                 case ecc_dsa_sa_algo:
                     ret = decodeEccKey(ssl);
                     break;
+            #endif
+            #ifdef HAVE_DILITHIUM
                 case dilithium_level2_sa_algo:
                     ret = decodeDilithiumKey(ssl, 2);
                     break;
@@ -9962,12 +9975,15 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                 case dilithium_level5_sa_algo:
                     ret = decodeDilithiumKey(ssl, 5);
                     break;
+            #endif
+            #ifdef HAVE_FALCON
                 case falcon_level1_sa_algo:
                     ret = decodeFalconKey(ssl, 1);
                     break;
                 case falcon_level5_sa_algo:
                     ret = decodeFalconKey(ssl, 5);
                     break;
+            #endif
                 default:
                     ERROR_OUT(PEER_KEY_ERROR, exit_dcv);
                 }
@@ -9978,17 +9994,22 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                 if (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) {
                     /* Now swap in the alternative by removing the native.
                      * sa contains the alternative signature type. */
+                #ifndef NO_RSA
                     if (ssl->peerRsaKeyPresent && sa != rsa_pss_sa_algo) {
                         FreeKey(ssl, DYNAMIC_TYPE_RSA,
                                 (void**)&ssl->peerRsaKey);
                         ssl->peerRsaKeyPresent = 0;
                     }
+                #endif
+                #ifdef HAVE_ECC
                     else if (ssl->peerEccDsaKeyPresent &&
                              sa != ecc_dsa_sa_algo) {
                         FreeKey(ssl, DYNAMIC_TYPE_ECC,
                                 (void**)&ssl->peerEccDsaKey);
                         ssl->peerEccDsaKeyPresent = 0;
                     }
+                #endif
+                #ifdef HAVE_DILITHIUM
                     else if (ssl->peerDilithiumKeyPresent &&
                              sa != dilithium_level2_sa_algo &&
                              sa != dilithium_level3_sa_algo &&
@@ -9997,13 +10018,16 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                                 (void**)&ssl->peerDilithiumKey);
                         ssl->peerDilithiumKeyPresent = 0;
                     }
+                #endif
+                #ifdef HAVE_FALCON
                     else if (ssl->peerFalconKeyPresent &&
                              sa != falcon_level1_sa_algo &&
                              sa != falcon_level5_sa_algo) {
                         FreeKey(ssl, DYNAMIC_TYPE_FALCON,
                                 (void**)&ssl->peerFalconKey);
                         ssl->peerFalconKeyPresent = 0;
                     }
+                #endif
                     else {
                         ERROR_OUT(PEER_KEY_ERROR, exit_dcv);
                     }

diff --git a/src/x509.c b/src/x509.c
@@ -12852,6 +12852,7 @@ WOLF_STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list(
         if (name == NULL || WOLFSSL_SUCCESS != wolfSSL_sk_X509_NAME_push(copy, name)) {
             WOLFSSL_MSG("Memory error");
             wolfSSL_sk_X509_NAME_pop_free(copy, wolfSSL_X509_NAME_free);
+            wolfSSL_X509_NAME_free(name);
             return NULL;
         }
     }