When WOLFSSL_SM2 and WOLFSSL_SM3 are both defined, KEYID_SIZE becomes 32
(WC_SM3_DIGEST_SIZE) but OCSP_RESPONDER_ID_KEY_SZ remains 20 (SHA-1 per
RFC 6960). The guard (int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ in
OcspFindSigner() and OcspRespIdMatch() evaluated to false (32 != 20),
completely disabling key-based OCSP responder ID matching. This caused
OCSP stapling to fail with BAD_CERTIFICATE_STATUS_ERROR (-406) against
any server using a key-based responder ID (e.g. login.live.com).
Fix by comparing only OCSP_RESPONDER_ID_KEY_SZ bytes for the responder
ID match, and zero-padding the 20-byte key hash to KEYID_SIZE before
passing to CA lookup functions that compare the full KEYID_SIZE.
- Fix SM4 GCM/CCM TLS 1.3 decrypt to read auth tag from input buffer
instead of output buffer, consistent with all other AEAD ciphers
(src/tls13.c)
- Fix SM4_BLOCK_SIZE typo (was SM$_BLOCK_SIZE) in TicketEncDec SM4-GCM
decrypt path (src/internal.c)
- Fix SM2 certificate signature verification for certs using
id-ecPublicKey (ECDSAk) with SM2-with-SM3 signature algorithm.
OpenSSL creates SM2 cert signatures without the standard
distinguishing identifier in the ZA hash. The SM2k code path already
handled this correctly (idSz=0), but the ECDSAk + CTC_SM3wSM2 path
was incorrectly using CERT_SIG_ID_SZ (16), causing ASN_SIG_CONFIRM_E
(-155) when verifying non-self-signed SM2 certs (wolfcrypt/src/asn.c)
- Regenerate expired SM2 test certificates via certs/sm2/gen-sm2-certs.sh
They had expired.
- Fix missing cleanup on error in wc_XChaCha20Poly1305_crypt_oneshot:
change early return to goto out so ForceZero and free are called
- Fix memory leak in wc_DeCompressDynamic: free tmp buffer before
early return on avail_out size check failure
- Fix unconditional mutex unlock in PQC sign functions (falcon,
sphincs, dilithium): only call unlock when lock was acquired
- Remove dead oqssig NULL checks in falcon sign/verify that are
unreachable after the preceding SIG_TYPE_E assignment
Latest version of clang with optimization turned right up will make the
pre-fetch functions return 0.
The pre-fetch functions are there to ensure tables are all in cache not
to calculate a value.
wolfcrypt/test/test.c: fix error-path memory leaks in srtpkdf_test(), and properly gate out incompatible SRTP_KDF_LONG_KEY test on old FIPS (defect introduced in #9733);
.wolfssl_known_macro_extras: get into lexical order and remove unneeded WC_RSA_DIRECT.