mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 16:20:48 +02:00
4e37d99d07
When WOLFSSL_SM2 and WOLFSSL_SM3 are both defined, KEYID_SIZE becomes 32 (WC_SM3_DIGEST_SIZE) but OCSP_RESPONDER_ID_KEY_SZ remains 20 (SHA-1 per RFC 6960). The guard (int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ in OcspFindSigner() and OcspRespIdMatch() evaluated to false (32 != 20), completely disabling key-based OCSP responder ID matching. This caused OCSP stapling to fail with BAD_CERTIFICATE_STATUS_ERROR (-406) against any server using a key-based responder ID (e.g. login.live.com). Fix by comparing only OCSP_RESPONDER_ID_KEY_SZ bytes for the responder ID match, and zero-padding the 20-byte key hash to KEYID_SIZE before passing to CA lookup functions that compare the full KEYID_SIZE.