From 829fbbc70255e1957dc78ada65330689414033a4 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 24 Mar 2026 19:50:37 +0100 Subject: [PATCH 1/3] Fix namespace collision on CRL reasons --- examples/ocsp_responder/ocsp_responder.c | 4 ++-- src/ocsp.c | 4 ++-- tests/api/test_ocsp.c | 18 +++++++++--------- wolfssl/wolfcrypt/asn.h | 20 ++++++++++---------- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/examples/ocsp_responder/ocsp_responder.c b/examples/ocsp_responder/ocsp_responder.c index 79c9c0e2867..54d1d9886cd 100644 --- a/examples/ocsp_responder/ocsp_responder.c +++ b/examples/ocsp_responder/ocsp_responder.c @@ -434,7 +434,7 @@ static int PopulateResponderFromIndex(OcspResponder* responder, word32 serialLen = 0; enum Ocsp_Cert_Status status; time_t revTime = 0; - enum WC_CRL_Reason revReason = CRL_REASON_UNSPECIFIED; + enum WC_CRL_Reason revReason = WC_CRL_REASON_UNSPECIFIED; word32 validity = 86400; char* p = entry->serial; word32 i; @@ -487,7 +487,7 @@ static int PopulateResponderFromIndex(OcspResponder* responder, else if (entry->status == 'R') { status = CERT_REVOKED; revTime = entry->revocationTime; - revReason = CRL_REASON_UNSPECIFIED; + revReason = WC_CRL_REASON_UNSPECIFIED; validity = 0; } else { diff --git a/src/ocsp.c b/src/ocsp.c index 0eeec815385..d0dd56c3f7c 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -2520,8 +2520,8 @@ int wc_OcspResponder_SetCertStatus(OcspResponder* responder, if (status == CERT_REVOKED) { if (revocationTime <= 0) goto out; - if (revocationReason < CRL_REASON_UNSPECIFIED || - revocationReason > CRL_REASON_AA_COMPROMISE) + if (revocationReason < WC_CRL_REASON_UNSPECIFIED || + revocationReason > WC_CRL_REASON_AA_COMPROMISE) goto out; /* Skip value 7 which is not used */ if (revocationReason == 7) diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c index 06c527bf828..f447961fb6b 100644 --- a/tests/api/test_ocsp.c +++ b/tests/api/test_ocsp.c @@ -1510,7 +1510,7 @@ int test_ocsp_responder(void) "./certs/ca-key.der", "./certs/server-cert.der", CERT_GOOD, - 0, CRL_REASON_UNSPECIFIED, + 0, WC_CRL_REASON_UNSPECIFIED, 86400, /* validityPeriod - 24 hours */ 0, "RSA server cert - GOOD status" @@ -1521,7 +1521,7 @@ int test_ocsp_responder(void) "./certs/ca-key.der", "./certs/server-cert.der", CERT_REVOKED, - now, CRL_REASON_KEY_COMPROMISE, /* Revoked due to key compromise */ + now, WC_CRL_REASON_KEY_COMPROMISE, /* Revoked due to key compromise */ 0, /* validityPeriod (not used for REVOKED) */ OCSP_CERT_REVOKED, "RSA server cert - REVOKED status" @@ -1532,7 +1532,7 @@ int test_ocsp_responder(void) "./certs/ca-key.der", "./certs/server-cert.der", CERT_UNKNOWN, - 0, CRL_REASON_UNSPECIFIED, + 0, WC_CRL_REASON_UNSPECIFIED, 0, /* validityPeriod (not used for UNKNOWN) */ OCSP_CERT_UNKNOWN, "RSA server cert - UNKNOWN status" @@ -1543,7 +1543,7 @@ int test_ocsp_responder(void) "./certs/ocsp/ocsp-responder-key.der", "./certs/ocsp/intermediate1-ca-cert.der", CERT_GOOD, - 0, CRL_REASON_UNSPECIFIED, + 0, WC_CRL_REASON_UNSPECIFIED, 86400, /* validityPeriod - 24 hours */ 0, "RSA int1 cert with responder - GOOD status" @@ -1554,7 +1554,7 @@ int test_ocsp_responder(void) "./certs/ocsp/ocsp-responder-key.der", "./certs/ocsp/intermediate1-ca-cert.der", CERT_REVOKED, - now, CRL_REASON_KEY_COMPROMISE, /* Revoked due to key compromise */ + now, WC_CRL_REASON_KEY_COMPROMISE, /* Revoked due to key compromise */ 0, /* validityPeriod (not used for REVOKED) */ OCSP_CERT_REVOKED, "RSA int1 cert with responder - REVOKED status" @@ -1565,7 +1565,7 @@ int test_ocsp_responder(void) "./certs/ocsp/ocsp-responder-key.der", "./certs/ocsp/intermediate1-ca-cert.der", CERT_UNKNOWN, - 0, CRL_REASON_UNSPECIFIED, + 0, WC_CRL_REASON_UNSPECIFIED, 0, /* validityPeriod (not used for UNKNOWN) */ OCSP_CERT_UNKNOWN, "RSA int1 cert with responder - UNKNOWN status" @@ -1577,7 +1577,7 @@ int test_ocsp_responder(void) "./certs/ca-ecc-key.der", "./certs/server-ecc.der", CERT_GOOD, - 0, CRL_REASON_UNSPECIFIED, + 0, WC_CRL_REASON_UNSPECIFIED, 86400, /* validityPeriod - 24 hours */ 0, "ECC server cert - GOOD status" @@ -1588,7 +1588,7 @@ int test_ocsp_responder(void) "./certs/ca-ecc-key.der", "./certs/server-ecc.der", CERT_REVOKED, - now, CRL_REASON_AFFILIATION_CHANGED, + now, WC_CRL_REASON_AFFILIATION_CHANGED, 0, /* validityPeriod (not used for REVOKED) */ OCSP_CERT_REVOKED, "ECC server cert - REVOKED status" @@ -1599,7 +1599,7 @@ int test_ocsp_responder(void) "./certs/ca-ecc-key.der", "./certs/server-ecc.der", CERT_UNKNOWN, - 0, CRL_REASON_UNSPECIFIED, + 0, WC_CRL_REASON_UNSPECIFIED, 0, /* validityPeriod (not used for UNKNOWN) */ OCSP_CERT_UNKNOWN, "ECC server cert - UNKNOWN status" diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 08dab649ae0..d244602cf2f 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2899,17 +2899,17 @@ WOLFSSL_LOCAL int OcspDecodeCertID(const byte* input, word32* inOutIdx, word32 i #ifdef HAVE_OCSP_RESPONDER /* Revocation reason codes from RFC 5280 */ enum WC_CRL_Reason { - CRL_REASON_UNSPECIFIED = 0, - CRL_REASON_KEY_COMPROMISE = 1, - CRL_REASON_CA_COMPROMISE = 2, - CRL_REASON_AFFILIATION_CHANGED = 3, - CRL_REASON_SUPERSEDED = 4, - CRL_REASON_CESSATION_OF_OPERATION = 5, - CRL_REASON_CERTIFICATE_HOLD = 6, + WC_CRL_REASON_UNSPECIFIED = 0, + WC_CRL_REASON_KEY_COMPROMISE = 1, + WC_CRL_REASON_CA_COMPROMISE = 2, + WC_CRL_REASON_AFFILIATION_CHANGED = 3, + WC_CRL_REASON_SUPERSEDED = 4, + WC_CRL_REASON_CESSATION_OF_OPERATION = 5, + WC_CRL_REASON_CERTIFICATE_HOLD = 6, /* value 7 is not used */ - CRL_REASON_REMOVE_FROM_CRL = 8, - CRL_REASON_PRIVILEGE_WITHDRAWN = 9, - CRL_REASON_AA_COMPROMISE = 10 + WC_CRL_REASON_REMOVE_FROM_CRL = 8, + WC_CRL_REASON_PRIVILEGE_WITHDRAWN = 9, + WC_CRL_REASON_AA_COMPROMISE = 10 }; /* Certificate status entry for a single certificate */ From 6a1db27baebe7bb4d07e504864922aab4eaed789 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 25 Mar 2026 17:59:18 +0100 Subject: [PATCH 2/3] Fix type casting for psk_keySz in MakePSKPreMasterSecret and initialize newSz in PKCS12_ConcatenateContent --- src/internal.c | 2 +- wolfcrypt/src/pkcs12.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index 516f7ccc683..0a628ca473b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -31011,7 +31011,7 @@ static void MakePSKPreMasterSecret(Arrays* arrays, byte use_psk_key) XMEMSET(pms, 0, sz); pms += sz; } - c16toa(arrays->psk_keySz, pms); + c16toa((word16)arrays->psk_keySz, pms); pms += OPAQUE16_LEN; XMEMCPY(pms, arrays->psk_key, arrays->psk_keySz); arrays->preMasterSz = sz + arrays->psk_keySz + OPAQUE16_LEN * 2; diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index 5f00282f387..41e42c8b020 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -1147,7 +1147,7 @@ static byte* PKCS12_ConcatenateContent(WC_PKCS12* pkcs12,byte* mergedData, { byte* oldContent; word32 oldContentSz; - word32 newSz; + word32 newSz = 0; (void)pkcs12; From ed5eac1c7d275b14e48700988e93c10fb9a85ae3 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 27 Mar 2026 15:09:54 +0100 Subject: [PATCH 3/3] wc_EncryptedInfoGet: add AES-CTR support --- wolfcrypt/src/asn.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index c6b0525ca8c..08f16ef1da8 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -23259,6 +23259,15 @@ static wcchar kDecInfoHeader = "DEK-Info"; #if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) static wcchar kEncTypeAesCbc256 = "AES-256-CBC"; #endif +#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128) + static wcchar kEncTypeAesCtr128 = "AES-128-CTR"; +#endif +#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_192) + static wcchar kEncTypeAesCtr192 = "AES-192-CTR"; +#endif +#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_256) + static wcchar kEncTypeAesCtr256 = "AES-256-CTR"; +#endif int wc_EncryptedInfoGet(EncryptedInfo* info, const char* cipherInfo) { @@ -23314,6 +23323,30 @@ int wc_EncryptedInfoGet(EncryptedInfo* info, const char* cipherInfo) if (info->ivSz == 0) info->ivSz = AES_IV_SIZE; } else +#endif +#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128) + if (XSTRCMP(cipherInfo, kEncTypeAesCtr128) == 0) { + info->cipherType = WC_CIPHER_AES_CTR; + info->keySz = AES_128_KEY_SIZE; + if (info->ivSz == 0) info->ivSz = AES_IV_SIZE; + } + else +#endif +#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_192) + if (XSTRCMP(cipherInfo, kEncTypeAesCtr192) == 0) { + info->cipherType = WC_CIPHER_AES_CTR; + info->keySz = AES_192_KEY_SIZE; + if (info->ivSz == 0) info->ivSz = AES_IV_SIZE; + } + else +#endif +#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_256) + if (XSTRCMP(cipherInfo, kEncTypeAesCtr256) == 0) { + info->cipherType = WC_CIPHER_AES_CTR; + info->keySz = AES_256_KEY_SIZE; + if (info->ivSz == 0) info->ivSz = AES_IV_SIZE; + } + else #endif { ret = NOT_COMPILED_IN;