Address copilot review

julek-wolfssl · julek-wolfssl · commit 6bb122d29f0e · 2026-03-11T11:08:44.000+01:00
diff --git a/examples/ocsp_responder/ocsp_responder.c b/examples/ocsp_responder/ocsp_responder.c
@@ -444,10 +444,12 @@ static int PopulateResponderFromIndex(OcspResponder* responder, IndexEntry* inde
         }
 
         for (i = 0; i < serialLen; i++) {
-            int high = (p[i*2] >= 'A') ? (p[i*2] - 'A' + 10) :
-                      (p[i*2] >= 'a') ? (p[i*2] - 'a' + 10) : (p[i*2] - '0');
-            int low = (p[i*2+1] >= 'A') ? (p[i*2+1] - 'A' + 10) :
-                     (p[i*2+1] >= 'a') ? (p[i*2+1] - 'a' + 10) : (p[i*2+1] - '0');
+            int high = ('0' <= p[i*2]   && p[i*2]   <= '9') ? (p[i*2]   - '0') :
+                       ('A' <= p[i*2]   && p[i*2]   <= 'F') ? (p[i*2]   - 'A' + 10) :
+                                                               (p[i*2]   - 'a' + 10);
+            int low  = ('0' <= p[i*2+1] && p[i*2+1] <= '9') ? (p[i*2+1] - '0') :
+                       ('A' <= p[i*2+1] && p[i*2+1] <= 'F') ? (p[i*2+1] - 'A' + 10) :
+                                                               (p[i*2+1] - 'a' + 10);
             serial[i] = (byte)((high << 4) | low);
         }
 
@@ -834,7 +836,6 @@ THREAD_RETURN WOLFSSL_THREAD ocsp_responder_test(void* args)
     }
     (void)wc_GetDecodedCertSubject(&caCert, NULL, &caSubjectSz);
     (void)caSubjectSz; /* Not used in current implementation */
-    (void)caSubjectSz; /* Not used in current implementation */
 
     /* Load index file if provided */
     if (opts.indexFile) {
diff --git a/scripts/ocsp-stapling-with-wolfssl-responder.test b/scripts/ocsp-stapling-with-wolfssl-responder.test
@@ -171,9 +171,9 @@ wait_for_readyFile(){
 
     counter=0
 
-    while [ ! -s $1 -a "$counter" -lt 20 ]; do
+    while [ ! -s "$1" ] && [ "$counter" -lt 20 ]; do
         if [[ -n "${2-}" ]]; then
-            if ! kill -0 $2 2>&-; then
+            if ! kill -0 "$2" 2>&-; then
                 echo "pid $2 for port ${3-} exited before creating ready file.  bailing..."
                 exit 1
             fi
@@ -183,7 +183,7 @@ wait_for_readyFile(){
         counter=$((counter+ 1))
     done
 
-    if test -e $1; then
+    if test -e "$1"; then
         echo -e "found ready file, starting client..."
     else
         echo -e "NO ready file at $1 -- ending test..."
diff --git a/src/ocsp.c b/src/ocsp.c
@@ -636,7 +636,7 @@ static int CheckOcspResponderChain(OcspEntry* single, byte* issuerHash,
  * @param bs              The basic OCSP response to verify
  * @param subjectHash     The subject key hash of the OCSP responder certificate
  * @param extExtKeyUsage  The extended key usage bits of the responder certificate
- * @param issuerHash      The issuer key hash of the OCSP responder certificate
+ * @param issuerHash      The issuer name hash of the OCSP responder certificate
  * @param vp              Unused (reserved for future use)
  * @return 1 if the responder is authorized to sign the response, 0 otherwise
  */
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -549,7 +549,7 @@ static word32 SizeASNLength(word32 length)
      * @param [in]      heap  Dynamic memory allocation hint.
      */
     #define ALLOC_ASNGETDATA(name, cnt, err, heap) \
-        (void)(cnt); (void)(err); (void)(heap); WC_DO_NOTHING
+        do { (void)(cnt); (void)(err); (void)(heap); } while (0)
 
     /* Clears the memory of the dynamic BER encoding data.
      *
@@ -567,7 +567,7 @@ static word32 SizeASNLength(word32 length)
      * @param [in]      heap  Dynamic memory allocation hint.
      */
     #define FREE_ASNGETDATA(name, heap) \
-        (void)(name); (void)(heap); WC_DO_NOTHING
+        do { (void)(name); (void)(heap); } while (0)
 
     /* Declare the variable that is the dynamic data for encoding DER data.
      *
@@ -585,7 +585,7 @@ static word32 SizeASNLength(word32 length)
      * @param [in]      heap  Dynamic memory allocation hint.
      */
     #define ALLOC_ASNSETDATA(name, cnt, err, heap) \
-        (void)(cnt); (void)(err); (void)(heap); WC_DO_NOTHING
+        do { (void)(cnt); (void)(err); (void)(heap); } while (0)
 
     /* Clears the memory of the dynamic BER encoding data.
      *
@@ -603,7 +603,7 @@ static word32 SizeASNLength(word32 length)
      * @param [in]      heap  Dynamic memory allocation hint.
      */
     #define FREE_ASNSETDATA(name, heap) \
-        (void)(name); (void)(heap); WC_DO_NOTHING
+        do { (void)(name); (void)(heap); } while (0)
 #endif
 
 
@@ -41385,6 +41385,8 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
 
     algoSz = SetAlgoID(req->hashAlg, algoArray, oidHashType, 0);
     keyIdSz = wc_HashGetDigestSize(wc_OidGetHash(req->hashAlg));
+    if (keyIdSz <= 0 || keyIdSz > WC_MAX_DIGEST_SIZE)
+        return BAD_FUNC_ARG;
 
     issuerSz    = SetDigest(req->issuerHash,    keyIdSz,    issuerArray);
     issuerKeySz = SetDigest(req->issuerKeyHash, keyIdSz,    issuerKeyArray);
@@ -41451,11 +41453,17 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
 
     CALLOC_ASNSETDATA(dataASN, ocspRequestASN_Length, ret, req->heap);
 
+    if (ret == 0) {
+        int digestSz = wc_HashGetDigestSize(wc_OidGetHash(req->hashAlg));
+        if (digestSz <= 0)
+            ret = BAD_FUNC_ARG;
+        else
+            keyIdSz = (word32)digestSz;
+    }
     if (ret == 0) {
         /* Set OID of hash algorithm use on issuer and key. */
         SetASN_OID(&dataASN[OCSPREQUESTASN_IDX_TBS_REQ_HASH_OID], req->hashAlg,
                 oidHashType);
-        keyIdSz = (word32)wc_HashGetDigestSize(wc_OidGetHash(req->hashAlg));
         /* Set issuer, issuer key hash and serial number of certificate being
          * checked. */
         SetASN_Buffer(&dataASN[OCSPREQUESTASN_IDX_TBS_REQ_ISSUER],
