From e0ab92058ba8610c60d08ec520dd2d99c8b63221 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Tue, 7 Jan 2020 11:55:07 +0100
Subject: [PATCH] Check CRL extension errors but don't require them

---
 wolfcrypt/src/asn.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 582654aed..01e30541f 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -16030,14 +16030,17 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
 
     idx = *inOutIdx;
 
+    /* CRL Extensions are optional */
     if ((idx + 1) > sz)
-        return BUFFER_E;
+        return 0;
 
+    /* CRL Extensions are optional */
     if (GetASNTag(buf, &idx, &tag, sz) < 0)
-        return ASN_PARSE_E;
+        return 0;
 
+    /* CRL Extensions are optional */
     if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
-        return ASN_PARSE_E;
+        return 0;
 
     if (GetLength(buf, &idx, &length, sz) < 0)
         return ASN_PARSE_E;
@@ -16130,8 +16133,8 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
     if (ParseCRL_CertList(dcrl, buff, &idx, idx + len) < 0)
         return ASN_PARSE_E;
 
-    /* CRL Extensions optional, ignoring errors */
-    ParseCRL_Extensions(dcrl, buff, &idx, idx + len);
+    if (ParseCRL_Extensions(dcrl, buff, &idx, idx + len) < 0)
+        return ASN_PARSE_E;
 
     idx = dcrl->sigIndex;