Static analysis fixes

.github/workflows/wolfsm.yml

@@ -0,0 +1,63 @@
+name: wolfSM Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        config: [
+          # Core SM TLS cipher suites
+          '--enable-sm2 --enable-sm3 --enable-sm4-gcm --enable-sm4-ccm --enable-sha3',
+          # All SM4 modes
+          '--enable-sm2 --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm --enable-sha3',
+          # SM + all features integration test
+          '--enable-all --enable-sm2 --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm',
+        ]
+    name: make check
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - uses: actions/checkout@v4
+        name: Checkout wolfsm
+        with:
+          repository: wolfssl/wolfsm
+          path: wolfsm
+
+      - name: Install wolfsm
+        working-directory: wolfsm
+        run: ./install.sh $GITHUB_WORKSPACE
+
+      - name: Test wolfSSL with wolfSM
+        run: |
+          ./autogen.sh
+          ./configure ${{ matrix.config }}
+          make
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          for file in scripts/*.log
+          do
+              if [ -f "$file" ]; then
+                  echo "${file}:"
+                  cat "$file"
+                  echo "========================================================================"
+              fi
+          done

certs/renewcerts.sh

@@ -768,6 +768,16 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
 
+    ############################################################
+    ########## generate SM2 certificates #######################
+    ############################################################
+    echo "Renewing SM2 certificates"
+    cd sm2
+    ./gen-sm2-certs.sh
+    cd ..
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+
     ############################################################
     ########## update Raw Public Key certificates ##############
     ############################################################

certs/sm2/ca-sm2.pem

@@ -3,11 +3,11 @@ Certificate:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
         Signature Algorithm: SM2-with-SM3
-        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_SM2, OU = Root-SM2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
         Validity
-            Not Before: Feb 15 06:23:07 2023 GMT
-            Not After : Nov 11 06:23:07 2025 GMT
-        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = CA-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
+            Not Before: Feb 18 17:56:57 2026 GMT
+            Not After : Nov 14 17:56:57 2028 GMT
+        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
         Subject Public Key Info:
             Public Key Algorithm: sm2
                 Public-Key: (256 bit)
@@ -29,23 +29,23 @@ Certificate:
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: SM2-with-SM3
     Signature Value:
-        30:45:02:20:47:4e:00:03:ab:34:a1:af:59:39:8f:60:36:bf:
-        89:88:42:41:27:c1:dd:57:c9:79:cb:1f:56:5c:16:b5:28:bd:
-        02:21:00:8b:2e:25:eb:21:9b:a9:2b:a6:6a:5b:db:a7:c7:2b:
-        11:df:73:15:ad:e4:c5:c3:c2:f3:b4:b4:67:af:d7:51:1c
+        30:46:02:21:00:b2:b9:5b:02:ad:78:f8:52:ba:67:cf:cb:25:
+        9b:ba:d9:56:f5:a7:ff:af:25:26:d5:f6:f3:f3:a6:f5:9a:2f:
+        9b:02:21:00:bc:96:f3:39:13:76:dc:02:35:39:0e:dc:0a:69:
+        bf:02:18:b6:01:be:ff:05:d7:2e:f2:7b:67:eb:16:e9:8e:c5
 -----BEGIN CERTIFICATE-----
-MIICljCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO
+MIIClzCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO
 BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT
 U0xfU00yMREwDwYDVQQLDAhSb290LVNNMjEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
-Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIzMDIxNTA2
-MjMwN1oXDTI1MTExMTA2MjMwN1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
+Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE3
+NTY1N1oXDTI4MTExNDE3NTY1N1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
 b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjEP
 MA0GA1UECwwGQ0Etc20yMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq
 hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xm
 U1NMMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABCGS98sk32RNuqtme4N1qSnn
 /2RjttVCgCC94uICEjuOtACVCYDLVu1Lyo1X5q4F03YnY3E5ibdp5kiArtGpSBKj
 YzBhMB0GA1UdDgQWBBRHCkh+uwKoWiZXKxmpe2GLf12ZbjAfBgNVHSMEGDAWgBQ0
 HXlEFXmhsWOZ4+1lfGSJgP+47DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
-AwIBhjAKBggqgRzPVQGDdQNIADBFAiBHTgADqzShr1k5j2A2v4mIQkEnwd1XyXnL
-H1ZcFrUovQIhAIsuJeshm6krpmpb26fHKxHfcxWt5MXDwvO0tGev11Ec
+AwIBhjAKBggqgRzPVQGDdQNJADBGAiEAsrlbAq14+FK6Z8/LJZu62Vb1p/+vJSbV
+9vPzpvWaL5sCIQC8lvM5E3bcAjU5DtwKab8CGLYBvv8F1y7ye2frFumOxQ==
 -----END CERTIFICATE-----

certs/sm2/client-sm2.pem

@@ -2,13 +2,13 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            60:a0:4a:0b:36:eb:7d:e1:3f:74:29:a9:29:b4:05:6c:17:f7:a6:d4
+            63:dd:75:63:8a:b0:51:4f:9c:4e:ff:6d:55:4e:cd:ee:8f:26:d3:80
         Signature Algorithm: SM2-with-SM3
-        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Client-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
+        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Client-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
         Validity
-            Not Before: Feb 15 06:23:07 2023 GMT
-            Not After : Nov 11 06:23:07 2025 GMT
-        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Client-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
+            Not Before: Feb 18 17:56:57 2026 GMT
+            Not After : Nov 14 17:56:57 2028 GMT
+        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Client-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
         Subject Public Key Info:
             Public Key Algorithm: sm2
                 Public-Key: (256 bit)
@@ -25,7 +25,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:E4:21:B2:C5:E5:D4:9E:82:CA:F8:67:F2:28:99:F6:85:E8:F1:55:EF
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_sm2/OU=Client-sm2/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/UID=wolfSSL
-                serial:60:A0:4A:0B:36:EB:7D:E1:3F:74:29:A9:29:B4:05:6C:17:F7:A6:D4
+                serial:63:DD:75:63:8A:B0:51:4F:9C:4E:FF:6D:55:4E:CD:EE:8F:26:D3:80
             X509v3 Basic Constraints: 
                 CA:TRUE
             X509v3 Subject Alternative Name: 
@@ -34,17 +34,17 @@ Certificate:
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: SM2-with-SM3
     Signature Value:
-        30:46:02:21:00:8f:b2:b5:95:8f:79:f6:5e:75:e5:c5:e9:9a:
-        12:d2:0f:78:9f:c0:1d:8d:1c:be:6b:0c:f1:f5:57:60:db:91:
-        4f:02:21:00:87:5e:7d:e4:d6:3a:bb:7b:98:27:85:de:7a:f0:
-        21:e2:66:a1:9f:26:e0:dd:86:23:b4:c8:c0:46:5a:f2:49:8d
+        30:46:02:21:00:dd:98:90:68:35:95:61:2f:11:90:a5:e9:30:
+        8b:9a:aa:33:cc:73:8a:76:96:8b:97:8c:4c:c3:10:fc:14:56:
+        9b:02:21:00:f8:de:db:67:54:59:ca:98:27:3d:3f:f6:6f:30:
+        0c:65:e1:fb:a0:9f:11:ab:ea:76:30:31:c4:66:11:d7:b9:f2
 -----BEGIN CERTIFICATE-----
-MIIDyTCCA26gAwIBAgIUYKBKCzbrfeE/dCmpKbQFbBf3ptQwCgYIKoEcz1UBg3Uw
+MIIDyTCCA26gAwIBAgIUY911Y4qwUU+cTv9tVU7N7o8m04AwCgYIKoEcz1UBg3Uw
 gbAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
 bWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjETMBEGA1UECwwKQ2xpZW50LXNtMjEY
 MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0yMzAyMTUwNjIz
-MDdaFw0yNTExMTEwNjIzMDdaMIGwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u
+bGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0yNjAyMTgxNzU2
+NTdaFw0yODExMTQxNzU2NTdaMIGwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u
 dGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECgwLd29sZlNTTF9zbTIxEzAR
 BgNVBAsMCkNsaWVudC1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0G
 CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dv
@@ -55,9 +55,9 @@ BIHoMIHlgBTkIbLF5dSegsr4Z/IomfaF6PFV76GBtqSBszCBsDELMAkGA1UEBhMC
 VVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoM
 C3dvbGZTU0xfc20yMRMwEQYDVQQLDApDbGllbnQtc20yMRgwFgYDVQQDDA93d3cu
 d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV
-BgoJkiaJk/IsZAEBDAd3b2xmU1NMghRgoEoLNut94T90KakptAVsF/em1DAMBgNV
+BgoJkiaJk/IsZAEBDAd3b2xmU1NMghRj3XVjirBRT5xO/21VTs3ujybTgDAMBgNV
 HRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQW
-MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqgRzPVQGDdQNJADBGAiEAj7K1lY95
-9l515cXpmhLSD3ifwB2NHL5rDPH1V2DbkU8CIQCHXn3k1jq7e5gnhd568CHiZqGf
-JuDdhiO0yMBGWvJJjQ==
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqgRzPVQGDdQNJADBGAiEA3ZiQaDWV
+YS8RkKXpMIuaqjPMc4p2louXjEzDEPwUVpsCIQD43ttnVFnKmCc9P/ZvMAxl4fug
+nxGr6nYwMcRmEde58g==
 -----END CERTIFICATE-----

certs/sm2/fix_sm2_spki.py

@@ -0,0 +1,179 @@
+#!/usr/bin/env python3
+"""Fix SM2 certificate SubjectPublicKeyInfo algorithm OID.
+
+OpenSSL 3.x encodes SM2 keys using the generic id-ecPublicKey OID
+(1.2.840.10045.2.1) instead of the SM2-specific OID (1.2.156.10197.1.301).
+This script patches the SPKI algorithm OID back to SM2 and re-signs the
+certificate.
+
+Usage: fix_sm2_spki.py <cert.pem> <signing-key.pem> <output.pem>
+"""
+
+import base64
+import subprocess
+import sys
+import os
+import tempfile
+
+EC_PUBKEY_OID = bytes([0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01])
+SM2_ALGO_OID  = bytes([0x06, 0x08, 0x2a, 0x81, 0x1c, 0xcf, 0x55, 0x01, 0x82, 0x2d])
+SM2_WITH_SM3  = bytes([0x30, 0x0a, 0x06, 0x08,
+                       0x2a, 0x81, 0x1c, 0xcf, 0x55, 0x01, 0x83, 0x75])
+
+
+def read_der_length(data, offset):
+    b = data[offset]
+    if b < 0x80:
+        return b, 1
+    num_bytes = b & 0x7f
+    length = 0
+    for i in range(num_bytes):
+        length = (length << 8) | data[offset + 1 + i]
+    return length, 1 + num_bytes
+
+
+def encode_der_length(length):
+    if length < 0x80:
+        return bytes([length])
+    elif length < 0x100:
+        return bytes([0x81, length])
+    elif length < 0x10000:
+        return bytes([0x82, length >> 8, length & 0xff])
+    else:
+        raise ValueError("Length too large: %d" % length)
+
+
+def find_enclosing_sequences(data, target_pos):
+    """Find length-field offsets of all SEQUENCEs enclosing target_pos."""
+    results = []
+
+    def scan(offset, end):
+        while offset < end:
+            tag = data[offset]
+            offset += 1
+            length, len_bytes = read_der_length(data, offset)
+            len_offset = offset
+            offset += len_bytes
+            content_start = offset
+            content_end = offset + length
+
+            if tag == 0x30 and content_start <= target_pos < content_end:
+                results.append((len_offset, length, len_bytes))
+                scan(content_start, content_end)
+                return
+            offset = content_end
+
+    scan(0, len(data))
+    return results
+
+
+def patch_tbs_spki_oid(tbs_der):
+    """Replace id-ecPublicKey with SM2 OID in TBS SubjectPublicKeyInfo."""
+    oid_pos = tbs_der.find(EC_PUBKEY_OID)
+    if oid_pos == -1:
+        return None  # Already has SM2 OID or no EC key
+
+    enclosing = find_enclosing_sequences(tbs_der, oid_pos)
+    size_diff = len(SM2_ALGO_OID) - len(EC_PUBKEY_OID)
+
+    result = bytearray(
+        tbs_der[:oid_pos] + SM2_ALGO_OID + tbs_der[oid_pos + len(EC_PUBKEY_OID):]
+    )
+
+    for len_offset, old_length, old_len_bytes in enclosing:
+        new_length = old_length + size_diff
+        new_len_encoded = encode_der_length(new_length)
+        if len(new_len_encoded) == old_len_bytes:
+            result[len_offset:len_offset + old_len_bytes] = new_len_encoded
+        else:
+            result[len_offset:len_offset + old_len_bytes] = new_len_encoded
+            size_diff += len(new_len_encoded) - old_len_bytes
+
+    return bytes(result)
+
+
+def pem_to_der(pem_text):
+    b64 = ''.join(
+        line for line in pem_text.split('\n')
+        if not line.startswith('-----') and line.strip()
+    )
+    return base64.b64decode(b64)
+
+
+def der_to_pem(der_data, label="CERTIFICATE"):
+    b64 = base64.b64encode(der_data).decode()
+    lines = [b64[i:i+64] for i in range(0, len(b64), 64)]
+    return ('-----BEGIN %s-----\n' % label +
+            '\n'.join(lines) +
+            '\n-----END %s-----\n' % label)
+
+
+def extract_tbs(cert_der):
+    assert cert_der[0] == 0x30
+    outer_len, outer_len_bytes = read_der_length(cert_der, 1)
+    tbs_offset = 1 + outer_len_bytes
+    tbs_len, tbs_len_bytes = read_der_length(cert_der, tbs_offset + 1)
+    tbs_total = 1 + tbs_len_bytes + tbs_len
+    return cert_der[tbs_offset:tbs_offset + tbs_total]
+
+
+def sign_tbs(tbs_der, key_pem_path):
+    """Sign TBS with SM2-with-SM3 using openssl dgst."""
+    with tempfile.NamedTemporaryFile(suffix='.der', delete=False) as tbs_f:
+        tbs_f.write(tbs_der)
+        tbs_path = tbs_f.name
+
+    sig_path = tbs_path + '.sig'
+    try:
+        result = subprocess.run(
+            ['openssl', 'dgst', '-sm3', '-sign', key_pem_path,
+             '-out', sig_path, tbs_path],
+            capture_output=True, text=True
+        )
+        if result.returncode != 0:
+            raise RuntimeError("openssl dgst failed: " + result.stderr)
+
+        with open(sig_path, 'rb') as f:
+            return f.read()
+    finally:
+        os.unlink(tbs_path)
+        if os.path.exists(sig_path):
+            os.unlink(sig_path)
+
+
+def build_cert(tbs_der, sig_der):
+    bit_string = bytes([0x03, len(sig_der) + 1, 0x00]) + sig_der
+    cert_body = tbs_der + SM2_WITH_SM3 + bit_string
+    return bytes([0x30]) + encode_der_length(len(cert_body)) + cert_body
+
+
+def fix_sm2_cert(cert_pem_path, key_pem_path, output_pem_path):
+    with open(cert_pem_path, 'r') as f:
+        cert_pem = f.read()
+
+    cert_der = pem_to_der(cert_pem)
+    tbs = extract_tbs(cert_der)
+
+    new_tbs = patch_tbs_spki_oid(tbs)
+    if new_tbs is None:
+        print("  Already has SM2 OID, no patching needed")
+        if cert_pem_path != output_pem_path:
+            with open(output_pem_path, 'w') as f:
+                f.write(cert_pem)
+        return
+
+    sig = sign_tbs(new_tbs, key_pem_path)
+    new_cert_der = build_cert(new_tbs, sig)
+
+    with open(output_pem_path, 'w') as f:
+        f.write(der_to_pem(new_cert_der))
+
+    print("  Patched SPKI algorithm OID to SM2")
+
+
+if __name__ == '__main__':
+    if len(sys.argv) != 4:
+        print("Usage: %s <cert.pem> <signing-key.pem> <output.pem>" % sys.argv[0])
+        sys.exit(1)
+
+    fix_sm2_cert(sys.argv[1], sys.argv[2], sys.argv[3])