From 2b6ffec322881d8a0b5000baaf2b9386286fd11c Mon Sep 17 00:00:00 2001
From: Hideki Miyazaki <hide@wolfssl.com>
Date: Sat, 21 Sep 2024 16:03:17 +0900
Subject: [PATCH] addressed review comments

---
 src/tls13.c        | 17 ++++++++++-------
 wolfssl/internal.h |  7 +++++++
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/tls13.c b/src/tls13.c
index 6d8224740e..33d835ee52 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -8404,7 +8404,7 @@ static word32 NextCert(byte* data, word32 length, word32* idx)
     return len;
 }
 
-#if defined(HAVE_CERTIFICATE_STATUS_REQUEST)
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER)
 /* Write certificate status request into certificate to buffer.
  *
  * ssl       SSL/TLS object.
@@ -8529,7 +8529,7 @@ static int SendTls13Certificate(WOLFSSL* ssl)
 {
     int    ret = 0;
     word32 certSz, certChainSz, headerSz, listSz, payloadSz;
-    word16 extSz[1 + MAX_CERT_EXTENSIONS];
+    word16 extSz[MAX_CERT_EXTENSIONS];
     word16 extIdx = 0;
     word32 maxFragment;
     word32 totalextSz = 0;
@@ -8597,7 +8597,7 @@ static int SendTls13Certificate(WOLFSSL* ssl)
         for (extIdx = 0; extIdx < (word16)XELEM_CNT(extSz); extIdx++)
             extSz[extIdx] = OPAQUE16_LEN;
 
-    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST)
+    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER)
         /* We only send CSR on the server side. On client side, the CSR data
          * is populated with the server response. We would be sending the server
          * its own stapling data. */
@@ -8730,14 +8730,14 @@ static int SendTls13Certificate(WOLFSSL* ssl)
             if (certSz > 0 && ssl->fragOffset < certSz + extSz[0]) {
                 /* Put in the leaf certificate with extensions. */
                 word32 copySz = AddCertExt(ssl, ssl->buffers.certificate->buffer,
-                                certSz, extSz[extIdx], ssl->fragOffset, fragSz,
-                                output + i, extIdx);
+                                certSz, extSz[0], ssl->fragOffset, fragSz,
+                                output + i, 0);
                 i += copySz;
                 ssl->fragOffset += copySz;
                 length -= copySz;
                 fragSz -= copySz;
-                if (ssl->fragOffset == certSz + extSz[extIdx])
-                    FreeDer(&ssl->buffers.certExts[extIdx]);
+                if (ssl->fragOffset == certSz + extSz[0])
+                    FreeDer(&ssl->buffers.certExts[0]);
             }
         }
         if (certChainSz > 0 && fragSz > 0) {
@@ -8754,8 +8754,11 @@ static int SendTls13Certificate(WOLFSSL* ssl)
                             ssl->buffers.certChain->length, &idx);
                     if (len == 0)
                         break;
+                #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \
+                        !defined(NO_WOLFSSL_SERVER)
                     if (MAX_CERT_EXTENSIONS > extIdx)
                         extIdx++;
+                #endif
                 }
                 /* Write out certificate and extension. */
                 l = AddCertExt(ssl, p, len, extSz[extIdx], offset, fragSz,
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index c7c148db8e..7d8f442570 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1989,6 +1989,13 @@ enum Misc {
     #define MAX_CHAIN_DEPTH 9
 #endif
 
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
+                    defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+    #if !defined(HAVE_OCSP)
+        #error OCSP Stapling and Stapling V2 needs OCSP. Please define HAVE_OCSP.
+    #endif
+#endif
+
 /* Max certificate extensions in TLS1.3 */
 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST)
     /* Number of extensions to set each OCSP response */