Address copilot feedback

julek-wolfssl · julek-wolfssl · commit b2750c8c3e96 · 2026-03-10T18:04:52.000+01:00
diff --git a/src/tls13.c b/src/tls13.c
@@ -8722,6 +8722,8 @@ static int WriteCSRToBuffer(WOLFSSL* ssl, DerBuffer** certExts,
             if (tmpSz > (OPAQUE8_LEN + OPAQUE24_LEN) &&
                 certExts[extIdx] == NULL) {
                 /* csr extension is not zero */
+                if (tmpSz > 0xFFFF)
+                    return BUFFER_E;
                 extSz[extIdx] = (word16)tmpSz;
 
                 ret = AllocDer(&certExts[extIdx], extSz[extIdx] + ex_offset,
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -41520,13 +41520,19 @@ static int DecodeOcspReqExtensions(const byte* source, word32 sz,
             int length = (int)dataASN[CERTEXTASN_IDX_VAL].length;
 
             if (oid == OCSP_NONCE_OID) {
-                /* Extract nonce data - get data inside inner OCTET_STRING */
-                ret = GetOctetString(source, &idx, &length, sz);
+                /* Parse inner OCTET STRING from the extension value buffer
+                 * using a local index to avoid relying on the outer idx. */
+                const byte* extData = dataASN[CERTEXTASN_IDX_VAL].data.ref.data;
+                word32 extDataSz = dataASN[CERTEXTASN_IDX_VAL].data.ref.length;
+                word32 localIdx = 0;
+                int innerLen = (int)extDataSz;
+
+                ret = GetOctetString(extData, &localIdx, &innerLen, extDataSz);
                 if (ret >= 0) {
                     ret = 0;
-                    if (length <= (int)sizeof(req->nonce)) {
-                        XMEMCPY(req->nonce, source + idx, (size_t)length);
-                        req->nonceSz = length;
+                    if (innerLen <= (int)sizeof(req->nonce)) {
+                        XMEMCPY(req->nonce, extData + localIdx, (size_t)innerLen);
+                        req->nonceSz = innerLen;
                     }
                     else {
                         /* Nonce too large */
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
@@ -5034,6 +5034,9 @@ extern void uITRON4_free(void *p) ;
     #ifndef WOLFSSL_CERT_GEN
         #error "HAVE_OCSP_RESPONDER requires WOLFSSL_CERT_GEN"
     #endif
+    #ifdef NO_SHA
+        #error "HAVE_OCSP_RESPONDER requires SHA-1 (NO_SHA is defined)"
+    #endif
 #endif
 
 #ifdef __cplusplus
