From cad645da200c01f0903da5b515b9cdcb1668d69c Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Wed, 17 Jun 2026 16:55:36 +0800
Subject: [PATCH] Bug fix

---
 CMakeLists.txt          |  2 +-
 include/gmssl/version.h |  2 +-
 tools/certverify.c      |  6 +++---
 tools/cmsencrypt.c      |  3 +++
 tools/ocspsign.c        |  3 +++
 tools/tlcp_server.c     | 11 ++++++++---
 6 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 2583d5cb..7f467b3f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -819,7 +819,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1084")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1085")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index dfd026b6..ff64dded 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1084"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1085"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/tools/certverify.c b/tools/certverify.c
index d184648a..db9fbe02 100644
--- a/tools/certverify.c
+++ b/tools/certverify.c
@@ -51,9 +51,9 @@ int certverify_main(int argc, char **argv)
 	char *cacertfile = NULL;
 	FILE *infp = stdin;
 	FILE *cacertfp = NULL;
-	uint8_t cert[1024];
+	uint8_t cert[8192];
 	size_t certlen;
-	uint8_t cacert[1024];
+	uint8_t cacert[8192];
 	size_t cacertlen;
 	char signer_id[SM2_MAX_ID_LENGTH + 1] = {0};
 	size_t signer_id_len = 0;
@@ -73,7 +73,7 @@ int certverify_main(int argc, char **argv)
 	size_t enc_subject_len;
 
 	int double_certs = 0;
-	uint8_t enc_cert[1024];
+	uint8_t enc_cert[8192];
 	size_t enc_cert_len;
 	int rv;
 
diff --git a/tools/cmsencrypt.c b/tools/cmsencrypt.c
index c95d7247..82aea02f 100644
--- a/tools/cmsencrypt.c
+++ b/tools/cmsencrypt.c
@@ -103,6 +103,9 @@ int cmsencrypt_main(int argc, char **argv)
 	}
 	cert = rcpt_certs;
 
+	// FIXME: TOCTOU between file_size measurement and fread. If the file shrinks
+	// after measurement, the buffer is oversized but only actual bytes read are
+	// encrypted (inlen is updated by fread). If the file grows, data is truncated.
 	if (get_files_size(argc, argv, "-in", &inlen) != 1) {
 		goto end;
 	}
diff --git a/tools/ocspsign.c b/tools/ocspsign.c
index 6414ffab..7f7a2fe8 100644
--- a/tools/ocspsign.c
+++ b/tools/ocspsign.c
@@ -452,6 +452,9 @@ bad:
 		fprintf(stderr, "%s: generate OCSPResponse failure\n", prog);
 		goto end;
 	}
+	// FIXME: resplen = 0 resets buffer capacity before second ocsp_sign call.
+	// If ocsp_sign() uses *outlen as input buffer capacity, passing 0 may
+	// allow buffer overflow. Proposed fix: resplen = sizeof(resp);
 	resplen = 0;
 	if (ocsp_sign(&ocsp_ctx, cert_status, revocation_time, this_update,
 		signer_cert, signer_cert_len, &sign_key,
diff --git a/tools/tlcp_server.c b/tools/tlcp_server.c
index c55f6fa5..d1f9e1fc 100644
--- a/tools/tlcp_server.c
+++ b/tools/tlcp_server.c
@@ -331,17 +331,22 @@ restart:
 	if (tls_init(&conn, &ctx) != 1
 		|| tls_set_socket(&conn, conn_sock) != 1) {
 		error_print();
-		return -1;
+		tls_socket_close(conn_sock);
+		goto restart;
 	}
 
 	if (tls_socket_set_nonblocking(conn_sock, 1) != 1) {
 		error_print();
-		return -1;
+		tls_cleanup(&conn);
+		tls_socket_close(conn_sock);
+		goto restart;
 	}
 
 	if (do_handshake_select(&conn) != 1) {
 		error_print();
-		return -1;
+		tls_cleanup(&conn);
+		tls_socket_close(conn_sock);
+		goto restart;
 	}
 
 	for (;;) {