From d2dac8e4b8d90000811334695ff320e461c3f431 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Wed, 21 Oct 2020 13:30:51 -0700
Subject: [PATCH 1/2] Example Client OCSP Option Fix 1. Before checking to see
 if the must staple flag is on the 'W' option,    check the length of
 myoptarg.

---
 examples/client/client.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/examples/client/client.c b/examples/client/client.c
index 8af3ec123..88795ac0d 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -1944,15 +1944,21 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             case 'W' :
                 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
                  || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+                {
+                    word32 myoptargSz;
+
                     statusRequest = atoi(myoptarg);
                     if (statusRequest > OCSP_STAPLING_OPT_MAX) {
                         Usage();
                         XEXIT_T(MY_EX_USAGE);
                     }
-                    if (myoptarg[XSTRLEN(myoptarg)-1] == 'M' ||
-                                         myoptarg[XSTRLEN(myoptarg)-1] == 'm') {
+
+                    myoptargSz = (word32)XSTRLEN(myoptarg);
+                    if (myoptargSz > 0 &&
+                            XTOUPPER(myoptarg[myoptargSz-1]) == 'M') {
                         mustStaple = 1;
                     }
+                }
                 #endif
                 break;
 

From e28303b40ac4b4ecdd2d2342c236000ee3c55c02 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Wed, 21 Oct 2020 21:47:32 -0700
Subject: [PATCH 2/2] In DoServerKeyExchange(), when reading the DH key from
 the server, the client was checking it too strictly. The pubkey value should
 be checked as strictly as the generator, for too large. The public key value
 is checked mathematically elsewhere.

---
 src/internal.c | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 23d3c2521..335aeb718 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -21330,17 +21330,6 @@ static int GetDhPublicKey(WOLFSSL* ssl, const byte* input, word32 size,
         ERROR_OUT(BUFFER_ERROR, exit_gdpk);
     }
 
-    if (length < ssl->options.minDhKeySz) {
-        WOLFSSL_MSG("Server using a public DH key that is too small");
-        SendAlert(ssl, alert_fatal, handshake_failure);
-        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
-                DYNAMIC_TYPE_PUBLIC_KEY);
-        ssl->buffers.serverDH_P.buffer = NULL;
-        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
-                DYNAMIC_TYPE_PUBLIC_KEY);
-        ssl->buffers.serverDH_G.buffer = NULL;
-        ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
-    }
     if (length > ssl->options.maxDhKeySz) {
         WOLFSSL_MSG("Server using a public DH key that is too big");
         SendAlert(ssl, alert_fatal, handshake_failure);