Skip to content

Commit a236e27

Browse files
julek-wolfssljulek-wolfssl
committed
x509_str: require CA:TRUE unconditionally in wolfSSL_X509_verify_cert
Drop the OPENSSL_ALL / WOLFSSL_QT preprocessor guard on the basicConstraints cA check so non-CA issuers are rejected in every OpenSSL-compat build. OPENSSL_EXTRA-only builds previously installed an attacker-supplied CA:FALSE leaf as a temporary CA via X509StoreAddCa(..., WOLFSSL_TEMP_CA), bypassing RFC 5280 4.2.1.9. The verify_cb override path stays gated on OPENSSL_ALL / WOLFSSL_QT since that field only exists there. Continuation of the CVE-2026-5501 fix.
1 parent c098e53 commit a236e27

1 file changed

Lines changed: 7 additions & 9 deletions

File tree

src/x509_str.c

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -705,28 +705,26 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
705705

706706
/* We found our issuer in the non-trusted cert list, add it
707707
* to the CM and verify the current cert against it */
708-
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
709-
/* OpenSSL doesn't allow the cert as CA if it is not CA:TRUE for
710-
* intermediate certs.
711-
*/
708+
/* RFC 5280 4.2.1.9: reject non-CA issuer. */
712709
if (!issuer->isCa) {
713-
/* error depth is current depth + 1 */
714710
SetupStoreCtxError_ex(ctx, X509_V_ERR_INVALID_CA,
715711
(ctx->chain) ? (int)(ctx->chain->num + 1) : 1);
712+
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
716713
if (ctx->store->verify_cb) {
717714
ret = ctx->store->verify_cb(0, ctx);
718715
if (ret != WOLFSSL_SUCCESS) {
719716
ret = WOLFSSL_FAILURE;
720717
goto exit;
721718
}
722719
}
723-
else {
720+
else
721+
#endif
722+
{
724723
ret = WOLFSSL_FAILURE;
725724
goto exit;
726725
}
727-
} else
728-
#endif
729-
{
726+
}
727+
else {
730728
ret = X509StoreAddCa(ctx->store, issuer,
731729
WOLFSSL_TEMP_CA);
732730
if (ret != WOLFSSL_SUCCESS) {

0 commit comments

Comments
 (0)