Fix OCSP key-based responder ID lookup when SM2/SM3 is enabled.

LinuxJedi · LinuxJedi · commit 4e37d99d0736 · 2026-02-18T18:01:33.000Z
When WOLFSSL_SM2 and WOLFSSL_SM3 are both defined, KEYID_SIZE becomes 32
(WC_SM3_DIGEST_SIZE) but OCSP_RESPONDER_ID_KEY_SZ remains 20 (SHA-1 per
RFC 6960). The guard (int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ in
OcspFindSigner() and OcspRespIdMatch() evaluated to false (32 != 20),
completely disabling key-based OCSP responder ID matching. This caused
OCSP stapling to fail with BAD_CERTIFICATE_STATUS_ERROR (-406) against
any server using a key-based responder ID (e.g. login.live.com).

Fix by comparing only OCSP_RESPONDER_ID_KEY_SZ bytes for the responder
ID match, and zero-padding the 20-byte key hash to KEYID_SIZE before
passing to CA lookup functions that compare the full KEYID_SIZE.
diff --git a/src/ocsp.c b/src/ocsp.c
@@ -950,7 +950,8 @@ static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash,
                    SIGNER_DIGEST_SIZE) == 0;
     }
     else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) {
-        return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;
+        return XMEMCMP(keyHash, resp->responderId.keyHash,
+                   OCSP_RESPONDER_ID_KEY_SZ) == 0;
     }
 
     return 0;
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -39573,8 +39573,9 @@ static int OcspRespIdMatch(OcspResponse *resp, const byte *NameHash,
         return XMEMCMP(NameHash, resp->responderId.nameHash,
             SIGNER_DIGEST_SIZE) == 0;
     /* OCSP_RESPONDER_ID_KEY */
-    return ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) &&
-        XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;
+    return (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) &&
+        XMEMCMP(keyHash, resp->responderId.keyHash,
+            OCSP_RESPONDER_ID_KEY_SZ) == 0;
 }
 
 #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
@@ -39613,8 +39614,15 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm)
         if (s)
             return s;
     }
-    else if ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) {
-        s = GetCAByKeyHash(cm, resp->responderId.keyHash);
+    else if (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) {
+        /* Responder key hash is OCSP_RESPONDER_ID_KEY_SZ bytes (SHA-1 per
+         * RFC 6960) but lookup functions compare KEYID_SIZE bytes. Zero-pad
+         * to avoid buffer over-read when KEYID_SIZE > OCSP_RESPONDER_ID_KEY_SZ
+         * (e.g. when SM2/SM3 is enabled). */
+        byte keyHash[KEYID_SIZE];
+        XMEMSET(keyHash, 0, KEYID_SIZE);
+        XMEMCPY(keyHash, resp->responderId.keyHash, OCSP_RESPONDER_ID_KEY_SZ);
+        s = GetCAByKeyHash(cm, keyHash);
         if (s)
             return s;
     }
@@ -39627,8 +39635,11 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm)
         if (s)
             return s;
     }
-    else {
-        s = findSignerByKeyHash(resp->pendingCAs, resp->responderId.keyHash);
+    else if (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) {
+        byte keyHash[KEYID_SIZE];
+        XMEMSET(keyHash, 0, KEYID_SIZE);
+        XMEMCPY(keyHash, resp->responderId.keyHash, OCSP_RESPONDER_ID_KEY_SZ);
+        s = findSignerByKeyHash(resp->pendingCAs, keyHash);
         if (s)
             return s;
     }

Original file line number	Diff line number	Diff line change
`@@ -950,7 +950,8 @@ static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash,`
`950`	`950`	`SIGNER_DIGEST_SIZE) == 0;`
`951`	`951`	`}`
`952`	`952`	`else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) {`
`953`		`- return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;`
	`953`	`+ return XMEMCMP(keyHash, resp->responderId.keyHash,`
	`954`	`+ OCSP_RESPONDER_ID_KEY_SZ) == 0;`
`954`	`955`	`}`
`955`	`956`
`956`	`957`	`return 0;`