From 03e6f7cca3367082cb381b8071387f2ebc271dbb Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Wed, 18 May 2016 10:39:18 -0700
Subject: [PATCH] RFC 5280 Appendix A.1 states that the Country Name in a
 certificate shall have a size of 2 octets. Restrict country name length to 2
 or 0.

---
 wolfcrypt/src/asn.c            | 8 ++++++++
 wolfssl/wolfcrypt/asn_public.h | 1 +
 2 files changed, 9 insertions(+)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 17d3aa7eb..84ea1358e 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -6712,6 +6712,14 @@ static int SetName(byte* output, word32 outputSz, CertName* name)
             int thisLen = strLen;
             int firstSz, secondSz, seqSz, setSz;
 
+            /* Restrict country code size */
+            if (i == 0) {
+                if (strLen >= CTC_COUNTRY_SIZE)
+                    strLen = CTC_COUNTRY_SIZE;
+                else
+                    strLen = 0;
+            }
+
             if (strLen == 0) { /* no user data for this item */
                 names[i].used = 0;
                 continue;
diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h
index 0e719ddb2..83140e674 100644
--- a/wolfssl/wolfcrypt/asn_public.h
+++ b/wolfssl/wolfcrypt/asn_public.h
@@ -77,6 +77,7 @@ enum Ctc_Encoding {
 };
 
 enum Ctc_Misc {
+    CTC_COUNTRY_SIZE  =     2,
     CTC_NAME_SIZE     =    64,
     CTC_DATE_SIZE     =    32,
     CTC_MAX_ALT_SIZE  = 16384,   /* may be huge */