From 10be06d7476afaef4e90706ee199fc8793e0e5c0 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 2 Mar 2026 21:36:58 +0100 Subject: [PATCH] Address copilot feedback --- src/tls13.c | 2 ++ wolfcrypt/src/asn.c | 16 +++++++++++----- wolfssl/wolfcrypt/settings.h | 3 +++ 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index e3671582ef..14f0cfc1d6 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8732,6 +8732,8 @@ static int WriteCSRToBuffer(WOLFSSL* ssl, DerBuffer** certExts, if (tmpSz > (OPAQUE8_LEN + OPAQUE24_LEN) && certExts[extIdx] == NULL) { /* csr extension is not zero */ + if (tmpSz > 0xFFFF) + return BUFFER_E; extSz[extIdx] = (word16)tmpSz; ret = AllocDer(&certExts[extIdx], extSz[extIdx] + ex_offset, diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 5313f76c8e..ee4ef4065c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -41520,13 +41520,19 @@ static int DecodeOcspReqExtensions(const byte* source, word32 sz, int length = (int)dataASN[CERTEXTASN_IDX_VAL].length; if (oid == OCSP_NONCE_OID) { - /* Extract nonce data - get data inside inner OCTET_STRING */ - ret = GetOctetString(source, &idx, &length, sz); + /* Parse inner OCTET STRING from the extension value buffer + * using a local index to avoid relying on the outer idx. */ + const byte* extData = dataASN[CERTEXTASN_IDX_VAL].data.ref.data; + word32 extDataSz = dataASN[CERTEXTASN_IDX_VAL].data.ref.length; + word32 localIdx = 0; + int innerLen = (int)extDataSz; + + ret = GetOctetString(extData, &localIdx, &innerLen, extDataSz); if (ret >= 0) { ret = 0; - if (length <= (int)sizeof(req->nonce)) { - XMEMCPY(req->nonce, source + idx, (size_t)length); - req->nonceSz = length; + if (innerLen <= (int)sizeof(req->nonce)) { + XMEMCPY(req->nonce, extData + localIdx, (size_t)innerLen); + req->nonceSz = innerLen; } else { /* Nonce too large */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 961d1799d8..66ed85d6ee 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -5071,6 +5071,9 @@ extern void uITRON4_free(void *p) ; #ifndef WOLFSSL_CERT_GEN #error "HAVE_OCSP_RESPONDER requires WOLFSSL_CERT_GEN" #endif + #ifdef NO_SHA + #error "HAVE_OCSP_RESPONDER requires SHA-1 (NO_SHA is defined)" + #endif #endif #ifdef __cplusplus