wolfSSL · julek-wolfssl · Mar 24, 2026 · Mar 25, 2026 · Mar 27, 2026
diff --git a/examples/ocsp_responder/ocsp_responder.c b/examples/ocsp_responder/ocsp_responder.c
@@ -434,7 +434,7 @@ static int PopulateResponderFromIndex(OcspResponder* responder,
         word32 serialLen = 0;
         enum Ocsp_Cert_Status status;
         time_t revTime = 0;
-        enum WC_CRL_Reason revReason = CRL_REASON_UNSPECIFIED;
+        enum WC_CRL_Reason revReason = WC_CRL_REASON_UNSPECIFIED;
         word32 validity = 86400;
         char* p = entry->serial;
         word32 i;
@@ -487,7 +487,7 @@ static int PopulateResponderFromIndex(OcspResponder* responder,
         else if (entry->status == 'R') {
             status = CERT_REVOKED;
             revTime = entry->revocationTime;
-            revReason = CRL_REASON_UNSPECIFIED;
+            revReason = WC_CRL_REASON_UNSPECIFIED;
             validity = 0;
         }
         else {

diff --git a/src/internal.c b/src/internal.c
@@ -31011,7 +31011,7 @@ static void MakePSKPreMasterSecret(Arrays* arrays, byte use_psk_key)
             XMEMSET(pms, 0, sz);
             pms += sz;
         }
-        c16toa(arrays->psk_keySz, pms);
+        c16toa((word16)arrays->psk_keySz, pms);
         pms += OPAQUE16_LEN;
         XMEMCPY(pms, arrays->psk_key, arrays->psk_keySz);
         arrays->preMasterSz = sz + arrays->psk_keySz + OPAQUE16_LEN * 2;

diff --git a/src/ocsp.c b/src/ocsp.c
@@ -2520,8 +2520,8 @@ int wc_OcspResponder_SetCertStatus(OcspResponder* responder,
     if (status == CERT_REVOKED) {
         if (revocationTime <= 0)
             goto out;
-        if (revocationReason < CRL_REASON_UNSPECIFIED ||
-            revocationReason > CRL_REASON_AA_COMPROMISE)
+        if (revocationReason < WC_CRL_REASON_UNSPECIFIED ||
+            revocationReason > WC_CRL_REASON_AA_COMPROMISE)
             goto out;
         /* Skip value 7 which is not used */
         if (revocationReason == 7)

diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c
@@ -1510,7 +1510,7 @@ int test_ocsp_responder(void)
             "./certs/ca-key.der",
             "./certs/server-cert.der",
             CERT_GOOD,
-            0, CRL_REASON_UNSPECIFIED,
+            0, WC_CRL_REASON_UNSPECIFIED,
             86400, /* validityPeriod - 24 hours */
             0,
             "RSA server cert - GOOD status"
@@ -1521,7 +1521,7 @@ int test_ocsp_responder(void)
             "./certs/ca-key.der",
             "./certs/server-cert.der",
             CERT_REVOKED,
-            now, CRL_REASON_KEY_COMPROMISE,  /* Revoked due to key compromise */
+            now, WC_CRL_REASON_KEY_COMPROMISE,  /* Revoked due to key compromise */
             0,     /* validityPeriod (not used for REVOKED) */
             OCSP_CERT_REVOKED,
             "RSA server cert - REVOKED status"
@@ -1532,7 +1532,7 @@ int test_ocsp_responder(void)
             "./certs/ca-key.der",
             "./certs/server-cert.der",
             CERT_UNKNOWN,
-            0, CRL_REASON_UNSPECIFIED,
+            0, WC_CRL_REASON_UNSPECIFIED,
             0,     /* validityPeriod (not used for UNKNOWN) */
             OCSP_CERT_UNKNOWN,
             "RSA server cert - UNKNOWN status"
@@ -1543,7 +1543,7 @@ int test_ocsp_responder(void)
             "./certs/ocsp/ocsp-responder-key.der",
             "./certs/ocsp/intermediate1-ca-cert.der",
             CERT_GOOD,
-            0, CRL_REASON_UNSPECIFIED,
+            0, WC_CRL_REASON_UNSPECIFIED,
             86400, /* validityPeriod - 24 hours */
             0,
             "RSA int1 cert with responder - GOOD status"
@@ -1554,7 +1554,7 @@ int test_ocsp_responder(void)
             "./certs/ocsp/ocsp-responder-key.der",
             "./certs/ocsp/intermediate1-ca-cert.der",
             CERT_REVOKED,
-            now, CRL_REASON_KEY_COMPROMISE,  /* Revoked due to key compromise */
+            now, WC_CRL_REASON_KEY_COMPROMISE,  /* Revoked due to key compromise */
             0,     /* validityPeriod (not used for REVOKED) */
             OCSP_CERT_REVOKED,
             "RSA int1 cert with responder - REVOKED status"
@@ -1565,7 +1565,7 @@ int test_ocsp_responder(void)
             "./certs/ocsp/ocsp-responder-key.der",
             "./certs/ocsp/intermediate1-ca-cert.der",
             CERT_UNKNOWN,
-            0, CRL_REASON_UNSPECIFIED,
+            0, WC_CRL_REASON_UNSPECIFIED,
             0,     /* validityPeriod (not used for UNKNOWN) */
             OCSP_CERT_UNKNOWN,
             "RSA int1 cert with responder - UNKNOWN status"
@@ -1577,7 +1577,7 @@ int test_ocsp_responder(void)
             "./certs/ca-ecc-key.der",
             "./certs/server-ecc.der",
             CERT_GOOD,
-            0, CRL_REASON_UNSPECIFIED,
+            0, WC_CRL_REASON_UNSPECIFIED,
             86400, /* validityPeriod - 24 hours */
             0,
             "ECC server cert - GOOD status"
@@ -1588,7 +1588,7 @@ int test_ocsp_responder(void)
             "./certs/ca-ecc-key.der",
             "./certs/server-ecc.der",
             CERT_REVOKED,
-            now, CRL_REASON_AFFILIATION_CHANGED,
+            now, WC_CRL_REASON_AFFILIATION_CHANGED,
             0,     /* validityPeriod (not used for REVOKED) */
             OCSP_CERT_REVOKED,
             "ECC server cert - REVOKED status"
@@ -1599,7 +1599,7 @@ int test_ocsp_responder(void)
             "./certs/ca-ecc-key.der",
             "./certs/server-ecc.der",
             CERT_UNKNOWN,
-            0, CRL_REASON_UNSPECIFIED,
+            0, WC_CRL_REASON_UNSPECIFIED,
             0,     /* validityPeriod (not used for UNKNOWN) */
             OCSP_CERT_UNKNOWN,
             "ECC server cert - UNKNOWN status"

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -23259,6 +23259,15 @@ static wcchar kDecInfoHeader = "DEK-Info";
 #if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256)
     static wcchar kEncTypeAesCbc256 = "AES-256-CBC";
 #endif
+#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
+    static wcchar kEncTypeAesCtr128 = "AES-128-CTR";
+#endif
+#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_192)
+    static wcchar kEncTypeAesCtr192 = "AES-192-CTR";
+#endif
+#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_256)
+    static wcchar kEncTypeAesCtr256 = "AES-256-CTR";
+#endif
 
 int wc_EncryptedInfoGet(EncryptedInfo* info, const char* cipherInfo)
 {
@@ -23314,6 +23323,30 @@ int wc_EncryptedInfoGet(EncryptedInfo* info, const char* cipherInfo)
         if (info->ivSz == 0) info->ivSz  = AES_IV_SIZE;
     }
     else
+#endif
+#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
+    if (XSTRCMP(cipherInfo, kEncTypeAesCtr128) == 0) {
+        info->cipherType = WC_CIPHER_AES_CTR;
+        info->keySz = AES_128_KEY_SIZE;
+        if (info->ivSz == 0) info->ivSz  = AES_IV_SIZE;
+    }
+    else
+#endif
+#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_192)
+    if (XSTRCMP(cipherInfo, kEncTypeAesCtr192) == 0) {
+        info->cipherType = WC_CIPHER_AES_CTR;
+        info->keySz = AES_192_KEY_SIZE;
+        if (info->ivSz == 0) info->ivSz  = AES_IV_SIZE;
+    }
+    else
+#endif
+#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_256)
+    if (XSTRCMP(cipherInfo, kEncTypeAesCtr256) == 0) {
+        info->cipherType = WC_CIPHER_AES_CTR;
+        info->keySz = AES_256_KEY_SIZE;
+        if (info->ivSz == 0) info->ivSz  = AES_IV_SIZE;
+    }
+    else
 #endif
     {
         ret = NOT_COMPILED_IN;

diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c
@@ -1147,7 +1147,7 @@ static byte* PKCS12_ConcatenateContent(WC_PKCS12* pkcs12,byte* mergedData,
 {
     byte* oldContent;
     word32 oldContentSz;
-    word32 newSz;
+    word32 newSz = 0;
 
     (void)pkcs12;
 

diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
@@ -2899,17 +2899,17 @@ WOLFSSL_LOCAL int OcspDecodeCertID(const byte* input, word32* inOutIdx, word32 i
 #ifdef HAVE_OCSP_RESPONDER
 /* Revocation reason codes from RFC 5280 */
 enum WC_CRL_Reason {
-    CRL_REASON_UNSPECIFIED             = 0,
-    CRL_REASON_KEY_COMPROMISE          = 1,
-    CRL_REASON_CA_COMPROMISE           = 2,
-    CRL_REASON_AFFILIATION_CHANGED     = 3,
-    CRL_REASON_SUPERSEDED              = 4,
-    CRL_REASON_CESSATION_OF_OPERATION  = 5,
-    CRL_REASON_CERTIFICATE_HOLD        = 6,
+    WC_CRL_REASON_UNSPECIFIED             = 0,
+    WC_CRL_REASON_KEY_COMPROMISE          = 1,
+    WC_CRL_REASON_CA_COMPROMISE           = 2,
+    WC_CRL_REASON_AFFILIATION_CHANGED     = 3,
+    WC_CRL_REASON_SUPERSEDED              = 4,
+    WC_CRL_REASON_CESSATION_OF_OPERATION  = 5,
+    WC_CRL_REASON_CERTIFICATE_HOLD        = 6,
     /* value 7 is not used */
-    CRL_REASON_REMOVE_FROM_CRL         = 8,
-    CRL_REASON_PRIVILEGE_WITHDRAWN     = 9,
-    CRL_REASON_AA_COMPROMISE           = 10
+    WC_CRL_REASON_REMOVE_FROM_CRL         = 8,
+    WC_CRL_REASON_PRIVILEGE_WITHDRAWN     = 9,
+    WC_CRL_REASON_AA_COMPROMISE           = 10
 };
 
 /* Certificate status entry for a single certificate */