Fix OCSP key-based responder ID lookup when SM2/SM3 is enabled.

When WOLFSSL_SM2 and WOLFSSL_SM3 are both defined, KEYID_SIZE becomes 32
(WC_SM3_DIGEST_SIZE) but OCSP_RESPONDER_ID_KEY_SZ remains 20 (SHA-1 per
RFC 6960). The guard (int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ in
OcspFindSigner() and OcspRespIdMatch() evaluated to false (32 != 20),
completely disabling key-based OCSP responder ID matching. This caused
OCSP stapling to fail with BAD_CERTIFICATE_STATUS_ERROR (-406) against
any server using a key-based responder ID (e.g. login.live.com).

Fix by comparing only OCSP_RESPONDER_ID_KEY_SZ bytes for the responder
ID match, and zero-padding the 20-byte key hash to KEYID_SIZE before
passing to CA lookup functions that compare the full KEYID_SIZE.
This commit is contained in:
Andrew Hutchings
2026-02-18 15:59:37 +00:00
parent 730519211d
commit 4e37d99d07
2 changed files with 19 additions and 7 deletions
+2 -1
View File
@@ -950,7 +950,8 @@ static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash,
SIGNER_DIGEST_SIZE) == 0;
}
else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) {
return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;
return XMEMCMP(keyHash, resp->responderId.keyHash,
OCSP_RESPONDER_ID_KEY_SZ) == 0;
}
return 0;
+17 -6
View File
@@ -39573,8 +39573,9 @@ static int OcspRespIdMatch(OcspResponse *resp, const byte *NameHash,
return XMEMCMP(NameHash, resp->responderId.nameHash,
SIGNER_DIGEST_SIZE) == 0;
/* OCSP_RESPONDER_ID_KEY */
return ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) &&
XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;
return (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) &&
XMEMCMP(keyHash, resp->responderId.keyHash,
OCSP_RESPONDER_ID_KEY_SZ) == 0;
}
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
@@ -39613,8 +39614,15 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm)
if (s)
return s;
}
else if ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) {
s = GetCAByKeyHash(cm, resp->responderId.keyHash);
else if (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) {
/* Responder key hash is OCSP_RESPONDER_ID_KEY_SZ bytes (SHA-1 per
* RFC 6960) but lookup functions compare KEYID_SIZE bytes. Zero-pad
* to avoid buffer over-read when KEYID_SIZE > OCSP_RESPONDER_ID_KEY_SZ
* (e.g. when SM2/SM3 is enabled). */
byte keyHash[KEYID_SIZE];
XMEMSET(keyHash, 0, KEYID_SIZE);
XMEMCPY(keyHash, resp->responderId.keyHash, OCSP_RESPONDER_ID_KEY_SZ);
s = GetCAByKeyHash(cm, keyHash);
if (s)
return s;
}
@@ -39627,8 +39635,11 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm)
if (s)
return s;
}
else {
s = findSignerByKeyHash(resp->pendingCAs, resp->responderId.keyHash);
else if (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) {
byte keyHash[KEYID_SIZE];
XMEMSET(keyHash, 0, KEYID_SIZE);
XMEMCPY(keyHash, resp->responderId.keyHash, OCSP_RESPONDER_ID_KEY_SZ);
s = findSignerByKeyHash(resp->pendingCAs, keyHash);
if (s)
return s;
}