internal: re-verify restored ticket peer cert against trust store

RestorePeerCertFromTicket passed verify=0 and CertificateManager=NULL to
ParseCertRelative, so a ticket-restored peer cert was decoded and installed
without any CRL/OCSP or trust-walk opportunity. A principal whose CA was
removed or whose cert was revoked after ticket issuance remained valid for
the full ticket lifetime. Pass SSL_CM(ssl) and honor verifyPeer so the
restored cert is re-checked on every resumption.

Author: julek-wolfssl

src/internal.c

@@ -39686,8 +39686,12 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
                 dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
                                                DYNAMIC_TYPE_DCERT);
                 if (dCert != NULL) {
+                    int verify = ssl->options.verifyPeer ? VERIFY : NO_VERIFY;
                     InitDecodedCert(dCert, it->peerCert, peerCertLen, ssl->heap);
-                    ret = ParseCertRelative(dCert, CERT_TYPE, 0, NULL, NULL);
+                    /* Re-walk trust store so CA removal / CRL / OCSP since
+                     * ticket issue still apply. */
+                    ret = ParseCertRelative(dCert, CERT_TYPE, verify,
+                                            SSL_CM(ssl), NULL);
                     if (ret == 0) {
                         FreeX509(&ssl->peerCert);
                         InitX509(&ssl->peerCert, 0, ssl->heap);