When WOLFSSL_SM2 and WOLFSSL_SM3 are both defined, KEYID_SIZE becomes 32
(WC_SM3_DIGEST_SIZE) but OCSP_RESPONDER_ID_KEY_SZ remains 20 (SHA-1 per
RFC 6960). The guard (int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ in
OcspFindSigner() and OcspRespIdMatch() evaluated to false (32 != 20),
completely disabling key-based OCSP responder ID matching. This caused
OCSP stapling to fail with BAD_CERTIFICATE_STATUS_ERROR (-406) against
any server using a key-based responder ID (e.g. login.live.com).
Fix by comparing only OCSP_RESPONDER_ID_KEY_SZ bytes for the responder
ID match, and zero-padding the 20-byte key hash to KEYID_SIZE before
passing to CA lookup functions that compare the full KEYID_SIZE.
- Fix SM4 GCM/CCM TLS 1.3 decrypt to read auth tag from input buffer
instead of output buffer, consistent with all other AEAD ciphers
(src/tls13.c)
- Fix SM4_BLOCK_SIZE typo (was SM$_BLOCK_SIZE) in TicketEncDec SM4-GCM
decrypt path (src/internal.c)
- Fix SM2 certificate signature verification for certs using
id-ecPublicKey (ECDSAk) with SM2-with-SM3 signature algorithm.
OpenSSL creates SM2 cert signatures without the standard
distinguishing identifier in the ZA hash. The SM2k code path already
handled this correctly (idSz=0), but the ECDSAk + CTC_SM3wSM2 path
was incorrectly using CERT_SIG_ID_SZ (16), causing ASN_SIG_CONFIRM_E
(-155) when verifying non-self-signed SM2 certs (wolfcrypt/src/asn.c)
- Regenerate expired SM2 test certificates via certs/sm2/gen-sm2-certs.sh
They had expired.
In `quic_record_transfer()`, the unsigned subtraction
`qr->end - qr->start` could wrap around if `end < start`, and the
subsequent `len <= 0` check was ineffective on a `word32`. Move the
comparison before the subtraction so the function returns `0` safely.
In `GetEchConfig()`, `XSTRLEN(config->publicName)` was assigned to a
single byte, silently truncating names longer than 255 characters while
`XMEMCPY` still copied the full string. Add a 255-byte length
validation in both `wolfSSL_CTX_GenerateEchConfig()` and
`GetEchConfig()`, and cache the length in a local variable to avoid
redundant `XSTRLEN` calls.
The vtest/VTest2 GitHub repo was archived on 2026-02-18 and its main
branch Makefile now exits with "THIS REPOSITORY HAS MOVED". The
maintainers tagged the last buildable commit as `last`.
Patch build-vtest.sh for both haproxy versions in the matrix:
- v3.1.0 still references wlallemand/VTest (removed long ago)
- v3.2.0 references vtest/VTest2 main branch (now broken)
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
- Fix missing cleanup on error in wc_XChaCha20Poly1305_crypt_oneshot:
change early return to goto out so ForceZero and free are called
- Fix memory leak in wc_DeCompressDynamic: free tmp buffer before
early return on avail_out size check failure
- Fix unconditional mutex unlock in PQC sign functions (falcon,
sphincs, dilithium): only call unlock when lock was acquired
- Remove dead oqssig NULL checks in falcon sign/verify that are
unreachable after the preceding SIG_TYPE_E assignment
DTLS13_FIXED_BITS_MASK used 0x111 (hex 273) instead of 0x7 (decimal 7,
binary 111). Per RFC 9147 Section 4, the top 3 bits of the unified
header flags byte must be 001. The incorrect hex value caused the mask
to only check bit 5 instead of bits 5, 6, and 7, allowing bytes with
bits 6 or 7 set to be misidentified as unified DTLS 1.3 headers.
The while loop conditions in TLSX_TCA_Find were inverted, causing two
bugs: the loop short-circuited on type match alone without checking the
id content, and the XMEMCMP sense was reversed (continuing on match,
stopping on mismatch). This meant any TCA entry with a matching type
would be returned as a match regardless of whether the identifier
actually matched.
Restructure the loop to correctly require both type and id (size +
content) to match before returning an entry, and to match any entry
immediately for PRE_AGREED type.
Add test_TLSX_TCA_Find unit test exercising exact match, mismatched id,
and PRE_AGREED cases via memio handshake.
Latest version of clang with optimization turned right up will make the
pre-fetch functions return 0.
The pre-fetch functions are there to ensure tables are all in cache not
to calculate a value.
- ECH: add bounds check on hpkePubkeyLen against HPKE_Npk_MAX to
prevent heap buffer overflow from untrusted ECH config data
- Sniffer: fix reassembly memory limit check typo, MaxRecoveryMemory -1
should be MaxRecoveryMemory != -1
- Sniffer: add bounds check in IPv6 extension header parsing loop to
prevent OOB read when next_header never matches TCP or NO_NEXT_HEADER
- Sniffer: validate tlsFragOffset + rhSize against tlsFragSize before
XMEMCPY in both TLS handshake fragment reassembly paths
- Internal: use WC_SAFE_SUM_WORD32 in GrowAnOutputBuffer to prevent
integer overflow on allocation size, matching existing pattern in
GrowOutputBuffer