From 81f959336b77da235aa478ad152aa841e4175bdb Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 23 Apr 2020 16:07:43 -0700
Subject: [PATCH 1/7] Added support for important private key DER using
 `wc_EccPublicKeyDecode`. Added ECC key generation and decode test case.

---
 wolfcrypt/src/asn.c   | 67 ++++++++++++++++++++++++++++++++++++-------
 wolfcrypt/test/test.c | 61 ++++++++++++++++++++++++++++++++++++++-
 2 files changed, 117 insertions(+), 11 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index c4e60043f..066f66c81 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -15369,11 +15369,11 @@ static int EccKeyParamCopy(char** dst, char* src)
 int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
                           ecc_key* key, word32 inSz)
 {
-    int    length;
     int    ret;
+    int    version, length;
     int    curve_id = ECC_CURVE_DEF;
     word32 oidSum, localIdx;
-    byte   tag;
+    byte   tag, isPrivFormat = 0;
 
     if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
         return BAD_FUNC_ARG;
@@ -15381,12 +15381,44 @@ int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
     if (GetSequence(input, inOutIdx, &length, inSz) < 0)
         return ASN_PARSE_E;
 
-    if (GetSequence(input, inOutIdx, &length, inSz) < 0)
-        return ASN_PARSE_E;
+    /* Check if ECC private key is being used and skip private portion */
+    if (GetMyVersion(input, inOutIdx, &version, inSz) >= 0) {
+        isPrivFormat = 1;
 
-    ret = SkipObjectId(input, inOutIdx, inSz);
-    if (ret != 0)
-        return ret;
+        /* Type private key */
+        if (*inOutIdx >= inSz)
+            return ASN_PARSE_E;
+        tag = input[*inOutIdx];
+        *inOutIdx += 1;
+        if (tag != 4 && tag != 6 && tag != 7)
+            return ASN_PARSE_E;
+
+        /* Skip Private Key */
+        if (GetLength(input, inOutIdx, &length, inSz) < 0)
+            return ASN_PARSE_E;
+        if (length > ECC_MAXSIZE)
+            return BUFFER_E;
+        *inOutIdx += length;
+
+        /* Private Curve Header */
+        if (*inOutIdx >= inSz)
+            return ASN_PARSE_E;
+        tag = input[*inOutIdx];
+        *inOutIdx += 1;
+        if (tag != ECC_PREFIX_0)
+            return ASN_ECC_KEY_E;
+        if (GetLength(input, inOutIdx, &length, inSz) <= 0)
+            return ASN_PARSE_E;
+    }
+    /* Standard ECC public key */
+    else {
+        if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+            return ASN_PARSE_E;
+
+        ret = SkipObjectId(input, inOutIdx, inSz);
+        if (ret != 0)
+            return ret;
+    }
 
     if (*inOutIdx >= inSz) {
         return BUFFER_E;
@@ -15541,9 +15573,24 @@ int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
             return ret;
 
         /* get curve id */
-        curve_id = wc_ecc_get_oid(oidSum, NULL, 0);
-        if (curve_id < 0)
-            return ECC_CURVE_OID_E;
+        if ((ret = CheckCurve(oidSum)) < 0)
+            ret = ECC_CURVE_OID_E;
+        else {
+            curve_id = ret;
+            ret = 0;
+        }
+    }
+
+    if (isPrivFormat) {
+        /* Public Curve Header - skip */
+        if (*inOutIdx >= inSz)
+            return ASN_PARSE_E;
+        tag = input[*inOutIdx];
+        *inOutIdx += 1;
+        if (tag != ECC_PREFIX_1)
+            return ASN_ECC_KEY_E;
+        if (GetLength(input, inOutIdx, &length, inSz) <= 0)
+            return ASN_PARSE_E;
     }
 
     /* key header */
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 5e29eda3e..dd795a46c 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -18441,8 +18441,56 @@ done:
 
     return ret;
 }
-#endif /* HAVE_ECC_KEY_IMPORT */
 
+static int ecc_test_key_decode(WC_RNG* rng, int keySize)
+{
+    int ret;
+    ecc_key eccKey;
+    byte tmpBuf[ECC_BUFSIZE];
+    word32 tmpSz;
+    word32 idx;
+
+    ret = wc_ecc_init(&eccKey);
+    if (ret != 0) {
+        return ret;
+    }
+    ret = wc_ecc_make_key(rng, keySize, &eccKey);
+    if (ret != 0) {
+        wc_ecc_free(&eccKey);
+        return ret;
+    }
+
+    tmpSz = sizeof(tmpBuf);
+    ret = wc_EccKeyToDer(&eccKey, tmpBuf, tmpSz);
+    wc_ecc_free(&eccKey);
+    if (ret < 0) {
+        return ret;
+    }
+    tmpSz = ret;
+
+    ret = wc_ecc_init(&eccKey);
+    if (ret != 0) {
+        return ret;
+    }
+    idx = 0;
+    ret = wc_EccPrivateKeyDecode(tmpBuf, &idx, &eccKey, tmpSz);
+    wc_ecc_free(&eccKey);
+    if (ret != 0) {
+        return ret;
+    }
+
+    ret = wc_ecc_init(&eccKey);
+    if (ret != 0) {
+        return 0;
+    }
+
+    idx = 0;
+    ret = wc_EccPublicKeyDecode(tmpBuf, &idx, &eccKey, tmpSz);
+    wc_ecc_free(&eccKey);
+
+    return ret;
+}
+#endif /* HAVE_ECC_KEY_IMPORT */
 
 #ifdef WOLFSSL_KEY_GEN
 static int ecc_test_key_gen(WC_RNG* rng, int keySize)
@@ -18912,6 +18960,17 @@ static int ecc_test_curve(WC_RNG* rng, int keySize)
 #endif
 
 #ifdef WOLFSSL_KEY_GEN
+    ret = ecc_test_key_decode(rng, keySize);
+    if (ret < 0) {
+        if (ret == ECC_CURVE_OID_E) {
+            /* ignore error for curves not found */
+        }
+        else {
+            printf("ecc_test_key_decode %d failed!: %d\n", keySize, ret);
+            return ret;
+        }
+    }
+
     ret = ecc_test_key_gen(rng, keySize);
     if (ret < 0) {
         if (ret == ECC_CURVE_OID_E) {

From 28b686a8ca62f1e0b6cdeeaff7eb076dc0392140 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 23 Apr 2020 16:11:54 -0700
Subject: [PATCH 2/7] * Exposed useful sizes `MAX_X509_HEADER_SZ` and
 `PEM_LINE_SZ` * Refactor the PEM saving code in `test.c`, so its not using
 large 4K buffer and calculates based on DER. * Enable ECC key generation test
 even without `WOLFSSL_KEY_GEN`. * Added `ECC_KEYGEN_SIZE` macro for ECC key
 generation testing. * Refactor ECC DER key generation to use `ECC_BUFSIZE`.

---
 wolfcrypt/src/asn.c     |   5 +-
 wolfcrypt/src/coding.c  |   2 +-
 wolfcrypt/test/test.c   | 236 ++++++++++++++--------------------------
 wolfssl/wolfcrypt/asn.h |   5 +-
 4 files changed, 89 insertions(+), 159 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 066f66c81..11e58a7cb 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -9798,9 +9798,8 @@ void wc_FreeDer(DerBuffer** pDer)
 
 #if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)
 
-/* Max X509 header length indicates the max length + 2 ('\n', '\0') */
-#define MAX_X509_HEADER_SZ  (37 + 2)
-
+/* Note: If items added make sure MAX_X509_HEADER_SZ is 
+    updated to reflect maximum length */
 wcchar BEGIN_CERT           = "-----BEGIN CERTIFICATE-----";
 wcchar END_CERT             = "-----END CERTIFICATE-----";
 #ifdef WOLFSSL_CERT_REQ
diff --git a/wolfcrypt/src/coding.c b/wolfcrypt/src/coding.c
index f6c814e01..c94efb03e 100644
--- a/wolfcrypt/src/coding.c
+++ b/wolfcrypt/src/coding.c
@@ -29,6 +29,7 @@
 #ifndef NO_CODING
 
 #include <wolfssl/wolfcrypt/coding.h>
+#include <wolfssl/wolfcrypt/asn.h> /* For PEM_LINE_SZ */
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
 
@@ -36,7 +37,6 @@
 enum {
     BAD         = 0xFF,  /* invalid encoding */
     PAD         = '=',
-    PEM_LINE_SZ = 64,
     BASE64_MIN  = 0x2B,
     BASE16_MIN  = 0x30,
 };
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index dd795a46c..8e405de09 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -120,11 +120,7 @@
 #include <wolfssl/wolfcrypt/wc_port.h>
 #include <wolfssl/wolfcrypt/logging.h>
 #include <wolfssl/wolfcrypt/types.h>
-#if defined(WOLFSSL_TEST_CERT) || defined(ASN_BER_TO_DER)
-    #include <wolfssl/wolfcrypt/asn.h>
-#else
-    #include <wolfssl/wolfcrypt/asn_public.h>
-#endif
+#include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/md2.h>
 #include <wolfssl/wolfcrypt/md5.h>
 #include <wolfssl/wolfcrypt/md4.h>
@@ -1286,18 +1282,17 @@ initDefaultName();
 #endif /* NO_MAIN_DRIVER */
 
 /* helper to save DER, convert to PEM and save PEM */
-#if !defined(NO_ASN) && (!defined(NO_RSA) || defined(HAVE_ECC)) && \
-    (defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN))
+#if !defined(NO_ASN) && \
+    ((!defined(NO_RSA) && defined(WOLFSSL_CERT_GEN)) || defined(HAVE_ECC))
 
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
-#define SaveDerAndPem(d, dSz, p, pSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, p, pSz, fD, fP, pT, eB)
+#define SaveDerAndPem(d, dSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, fD, fP, pT, eB)
 #else
-#define SaveDerAndPem(d, dSz, p, pSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, p, pSz, NULL, NULL, pT, eB)
+#define SaveDerAndPem(d, dSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, NULL, NULL, pT, eB)
 #endif
 
 static int _SaveDerAndPem(const byte* der, int derSz,
-    byte* pem, int pemSz, const char* fileDer,
-    const char* filePem, int pemType, int errBase)
+    const char* fileDer, const char* filePem, int pemType, int errBase)
 {
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     int ret;
@@ -1314,32 +1309,50 @@ static int _SaveDerAndPem(const byte* der, int derSz,
     }
 #endif
 
-    if (pem && filePem) {
+#ifdef WOLFSSL_DER_TO_PEM
+    if (filePem) {
     #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
         XFILE pemFile;
     #endif
-    #ifdef WOLFSSL_DER_TO_PEM
+        byte* pem;
+        int pemSz;
+
+        /* calculate PEM size */
+        pemSz = wc_DerToPem(der, derSz, NULL, 0, pemType);
+        if (pemSz < 0) {
+            return pemSz;
+        }
+        pem = XMALLOC(pemSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        if (pem == NULL) {
+            return MEMORY_E;
+        }
+        /* Convert to PEM */
         pemSz = wc_DerToPem(der, derSz, pem, pemSz, pemType);
         if (pemSz < 0) {
+            XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             return errBase + 2;
         }
-    #endif
     #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
         pemFile = XFOPEN(filePem, "wb");
         if (!pemFile) {
+            XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             return errBase + 3;
         }
         ret = (int)XFWRITE(pem, 1, pemSz, pemFile);
         XFCLOSE(pemFile);
         if (ret != pemSz) {
+            XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             return errBase + 4;
         }
     #endif
+        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     }
+#endif /* WOLFSSL_DER_TO_PEM */
 
     /* suppress unused variable warnings */
     (void)filePem;
     (void)fileDer;
+    (void)pemType;
 
     return 0;
 }
@@ -10357,12 +10370,10 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out)
         static const char* certEccRsaPemFile = CERT_PREFIX "certeccrsa.pem";
         static const char* certEccRsaDerFile = CERT_PREFIX "certeccrsa.der";
     #endif
-    #ifdef WOLFSSL_KEY_GEN
         static const char* eccCaKeyPemFile  = CERT_PREFIX "ecc-key.pem";
         static const char* eccPubKeyDerFile = CERT_PREFIX "ecc-public-key.der";
         static const char* eccCaKeyTempFile = CERT_PREFIX "ecc-key.der";
         static const char* eccPkcs8KeyDerFile = CERT_PREFIX "ecc-key-pkcs8.der";
-    #endif
     #if defined(WOLFSSL_CERT_GEN) || \
             (defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT))
         static const char* certEccDerFile = CERT_PREFIX "certecc.der";
@@ -12229,7 +12240,6 @@ static int rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng, byte* tmp)
 {
     RsaKey      caKey;
     byte*       der;
-    byte*       pem = NULL;
     int         ret;
     Cert*       myCert = NULL;
     int         certSz;
@@ -12255,10 +12265,6 @@ static int rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng, byte* tmp)
     if (der == NULL) {
         ERROR_OUT(-7619, exit_rsa);
     }
-    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER);
-    if (pem == NULL) {
-        ERROR_OUT(-7620, exit_rsa);
-    }
     myCert = (Cert*)XMALLOC(sizeof(Cert), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     if (myCert == NULL) {
         ERROR_OUT(-7621, exit_rsa);
@@ -12337,8 +12343,8 @@ static int rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng, byte* tmp)
     FreeDecodedCert(&decode);
 #endif
 
-    ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, certDerFile,
-        certPemFile, CERT_TYPE, -5578);
+    ret = SaveDerAndPem(der, certSz, certDerFile, certPemFile, 
+        CERT_TYPE, -5578);
     if (ret != 0) {
         goto exit_rsa;
     }
@@ -12500,8 +12506,8 @@ static int rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng, byte* tmp)
     FreeDecodedCert(&decode);
 #endif
 
-    ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, otherCertDerFile,
-        otherCertPemFile, CERT_TYPE, -5598);
+    ret = SaveDerAndPem(der, certSz, otherCertDerFile, otherCertPemFile, 
+        CERT_TYPE, -5598);
     if (ret != 0) {
         goto exit_rsa;
     }
@@ -12510,7 +12516,6 @@ exit_rsa:
     wc_FreeRsaKey(&caKey);
 
     XFREE(myCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
 
     return ret;
@@ -12525,7 +12530,6 @@ static int rsa_ecc_certgen_test(WC_RNG* rng, byte* tmp)
     ecc_key     caEccKey;
     ecc_key     caEccKeyPub;
     byte*       der;
-    byte*       pem = NULL;
     Cert*       myCert = NULL;
     int         certSz;
     size_t      bytes3;
@@ -12547,10 +12551,6 @@ static int rsa_ecc_certgen_test(WC_RNG* rng, byte* tmp)
     if (der == NULL) {
         ERROR_OUT(-7645, exit_rsa);
     }
-    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (pem == NULL) {
-        ERROR_OUT(-7646, exit_rsa);
-    }
     myCert = (Cert*)XMALLOC(sizeof(Cert), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     if (myCert == NULL) {
         ERROR_OUT(-7647, exit_rsa);
@@ -12697,8 +12697,8 @@ static int rsa_ecc_certgen_test(WC_RNG* rng, byte* tmp)
     FreeDecodedCert(&decode);
 #endif
 
-    ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, certEccRsaDerFile,
-        certEccRsaPemFile, CERT_TYPE, -5616);
+    ret = SaveDerAndPem(der, certSz, certEccRsaDerFile, certEccRsaPemFile, 
+        CERT_TYPE, -5616);
     if (ret != 0) {
         goto exit_rsa;
     }
@@ -12710,8 +12710,6 @@ exit_rsa:
 
     XFREE(myCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     myCert = NULL;
-    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    pem = NULL;
     XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     der = NULL;
 
@@ -12727,7 +12725,6 @@ static int rsa_keygen_test(WC_RNG* rng)
     RsaKey genKey;
     int    ret;
     byte*  der = NULL;
-    byte*  pem = NULL;
     word32 idx = 0;
     int    derSz = 0;
 #if !defined(WOLFSSL_SP_MATH) && !defined(HAVE_FIPS)
@@ -12766,17 +12763,13 @@ static int rsa_keygen_test(WC_RNG* rng)
     if (der == NULL) {
         ERROR_OUT(-7665, exit_rsa);
     }
-    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (pem == NULL) {
-        ERROR_OUT(-7666, exit_rsa);
-    }
 
     derSz = wc_RsaKeyToDer(&genKey, der, FOURK_BUF);
     if (derSz < 0) {
         ERROR_OUT(-7667, exit_rsa);
     }
 
-    ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, keyDerFile, keyPemFile,
+    ret = SaveDerAndPem(der, derSz, keyDerFile, keyPemFile, 
         PRIVATEKEY_TYPE, -5555);
     if (ret != 0) {
         goto exit_rsa;
@@ -12798,10 +12791,6 @@ static int rsa_keygen_test(WC_RNG* rng)
 
 exit_rsa:
     wc_FreeRsaKey(&genKey);
-    if (pem != NULL) {
-        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        pem = NULL;
-    }
     if (der != NULL) {
         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         der = NULL;
@@ -12816,7 +12805,6 @@ int rsa_test(void)
     int    ret;
     byte*  tmp;
     byte*  der = NULL;
-    byte*  pem = NULL;
     size_t bytes;
     WC_RNG rng;
     RsaKey key;
@@ -13698,10 +13686,6 @@ int rsa_test(void)
         if (der == NULL) {
             ERROR_OUT(-7758, exit_rsa);
         }
-        pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER);
-        if (pem == NULL) {
-            ERROR_OUT(-7759, exit_rsa);
-        }
 
         certSz = wc_MakeNtruCert(&myCert, der, FOURK_BUF, public_key,
                               public_key_len, &rng);
@@ -13735,8 +13719,8 @@ int rsa_test(void)
         FreeDecodedCert(&decode);
     #endif
 
-        ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, "./ntru-cert.der",
-            "./ntru-cert.pem", CERT_TYPE, -5637);
+        ret = SaveDerAndPem(der, certSz, "./ntru-cert.der", "./ntru-cert.pem", 
+            CERT_TYPE, -5637);
         if (ret != 0) {
             goto exit_rsa;
         }
@@ -13753,8 +13737,6 @@ int rsa_test(void)
         }
     #endif
 
-        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        pem = NULL;
         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         der = NULL;
     }
@@ -13768,10 +13750,6 @@ int rsa_test(void)
         if (der == NULL) {
             ERROR_OUT(-7765, exit_rsa);
         }
-        pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER);
-        if (pem == NULL) {
-            ERROR_OUT(-7766, exit_rsa);
-        }
 
         if (wc_InitCert(&req)) {
             ERROR_OUT(-7767, exit_rsa);
@@ -13846,8 +13824,8 @@ int rsa_test(void)
         }
         derSz = ret;
 
-        ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, certReqDerFile,
-            certReqPemFile, CERTREQ_TYPE, -5650);
+        ret = SaveDerAndPem(der, derSz, certReqDerFile, certReqPemFile, 
+            CERTREQ_TYPE, -5650);
         if (ret != 0) {
             goto exit_rsa;
         }
@@ -13857,8 +13835,6 @@ int rsa_test(void)
             ERROR_OUT(-7776, exit_rsa);
         }
 
-        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        pem = NULL;
         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         der = NULL;
     }
@@ -13878,7 +13854,6 @@ exit_rsa:
     wc_FreeRsaKey(&caKey);
 #endif
 
-    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     wc_FreeRng(&rng);
@@ -14606,7 +14581,6 @@ int dsa_test(void)
 #ifdef WOLFSSL_KEY_GEN
     {
     byte*  der;
-    byte*  pem;
     int    derSz = 0;
     DsaKey derIn;
     DsaKey genKey;
@@ -14631,25 +14605,17 @@ int dsa_test(void)
         wc_FreeDsaKey(&genKey);
         return -8011;
     }
-    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (pem == NULL) {
-        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        wc_FreeDsaKey(&genKey);
-        return -8012;
-    }
 
     derSz = wc_DsaKeyToDer(&genKey, der, FOURK_BUF);
     if (derSz < 0) {
         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         return -8013;
     }
 
-    ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, keyDerFile,
-            keyPemFile, DSA_PRIVATEKEY_TYPE, -5814);
+    ret = SaveDerAndPem(der, derSz, keyDerFile, keyPemFile, 
+        DSA_PRIVATEKEY_TYPE, -5814);
     if (ret != 0) {
         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         wc_FreeDsaKey(&genKey);
         return ret;
     }
@@ -14657,7 +14623,6 @@ int dsa_test(void)
     ret = wc_InitDsaKey(&derIn);
     if (ret != 0) {
         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         wc_FreeDsaKey(&genKey);
         return -8014;
     }
@@ -14666,7 +14631,6 @@ int dsa_test(void)
     ret = wc_DsaPrivateKeyDecode(der, &idx, &derIn, derSz);
     if (ret != 0) {
         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         wc_FreeDsaKey(&derIn);
         wc_FreeDsaKey(&genKey);
         return -8015;
@@ -14674,7 +14638,6 @@ int dsa_test(void)
 
     wc_FreeDsaKey(&derIn);
     wc_FreeDsaKey(&genKey);
-    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     }
 #endif /* WOLFSSL_KEY_GEN */
@@ -17714,6 +17677,10 @@ int x963kdf_test(void)
 
 #ifdef HAVE_ECC
 
+#ifndef ECC_KEYGEN_SIZE
+    /* size to use for ECC key gen tests */
+    #define ECC_KEYGEN_SIZE 32
+#endif
 #ifdef BENCH_EMBEDDED
     #define ECC_SHARED_SIZE 128
 #else
@@ -18212,9 +18179,9 @@ done:
 static int ecc_test_make_pub(WC_RNG* rng)
 {
     ecc_key key;
-    unsigned char* exportBuf;
-    unsigned char* tmp;
-    unsigned char msg[] = "test wolfSSL ECC public gen";
+    byte exportBuf[ECC_BUFSIZE];
+    byte tmp[ECC_BUFSIZE];
+    const byte* msg = (const byte*)"test wolfSSL ECC public gen";
     word32 x, tmpSz;
     int ret = 0;
     ecc_point* pubPoint = NULL;
@@ -18231,33 +18198,15 @@ static int ecc_test_make_pub(WC_RNG* rng)
     wc_ecc_init_ex(&key, HEAP_HINT, devId);
 
 #ifdef USE_CERT_BUFFERS_256
-    tmp = (byte*)XMALLOC((size_t)sizeof_ecc_key_der_256, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (tmp == NULL) {
-        return -9613;
-    }
-    exportBuf = (byte*)XMALLOC((size_t)sizeof_ecc_key_der_256, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (exportBuf == NULL) {
-        XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        return -9614;
-    }
     XMEMCPY(tmp, ecc_key_der_256, (size_t)sizeof_ecc_key_der_256);
     tmpSz = (size_t)sizeof_ecc_key_der_256;
 #else
-    tmp = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (tmp == NULL) {
-        return -9615;
-    }
-    exportBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (exportBuf == NULL) {
-        XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        return -9616;
-    }
     file = XFOPEN(eccKeyDerFile, "rb");
     if (!file) {
         ERROR_OUT(-9617, done);
     }
 
-    tmpSz = (word32)XFREAD(tmp, 1, FOURK_BUF, file);
+    tmpSz = (word32)XFREAD(tmp, 1, sizeof(tmp), file);
     XFCLOSE(file);
 #endif /* USE_CERT_BUFFERS_256 */
 
@@ -18279,7 +18228,7 @@ static int ecc_test_make_pub(WC_RNG* rng)
     }
 
 #ifdef HAVE_ECC_KEY_EXPORT
-    x = FOURK_BUF;
+    x = sizeof(exportBuf);
     ret = wc_ecc_export_private_only(&key, exportBuf, &x);
     if (ret != 0) {
         ERROR_OUT(-9621, done);
@@ -18293,7 +18242,7 @@ static int ecc_test_make_pub(WC_RNG* rng)
         ERROR_OUT(-9622, done);
     }
 
-    x = FOURK_BUF;
+    x = sizeof(exportBuf);
     ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0);
     if (ret == 0) {
         ERROR_OUT(-9623, done);
@@ -18321,7 +18270,7 @@ static int ecc_test_make_pub(WC_RNG* rng)
 
 #ifdef HAVE_ECC_KEY_EXPORT
     /* export should still fail, is private only key */
-    x = FOURK_BUF;
+    x = sizeof(exportBuf);
     ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0);
     if (ret == 0) {
         ERROR_OUT(-9627, done);
@@ -18329,13 +18278,13 @@ static int ecc_test_make_pub(WC_RNG* rng)
 #endif /* HAVE_ECC_KEY_EXPORT */
 #if defined(WOLFSSL_CRYPTOCELL)
     /* create a new key since building private key from public key is unsupported */
-    ret  = wc_ecc_make_key(rng, 32, &key);
+    ret  = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, &key);
     if (ret == 0) {
         ERROR_OUT(-9628, done);
     }
 #endif
 #ifdef HAVE_ECC_SIGN
-    tmpSz = FOURK_BUF;
+    tmpSz = sizeof(tmp);
     ret = 0;
     do {
     #if defined(WOLFSSL_ASYNC_CRYPT)
@@ -18369,7 +18318,7 @@ static int ecc_test_make_pub(WC_RNG* rng)
     TEST_SLEEP();
 #ifdef HAVE_ECC_KEY_EXPORT
     /* exporting the public part should now work */
-    x = FOURK_BUF;
+    x = sizeof(exportBuf);
     ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0);
     if (ret != 0) {
         ERROR_OUT(-9632, done);
@@ -18381,7 +18330,7 @@ static int ecc_test_make_pub(WC_RNG* rng)
 
 #if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT)
     /* now test private only key with creating a shared secret */
-    x = FOURK_BUF;
+    x = sizeof(exportBuf);
     ret = wc_ecc_export_private_only(&key, exportBuf, &x);
     if (ret != 0) {
         ERROR_OUT(-9633, done);
@@ -18396,7 +18345,7 @@ static int ecc_test_make_pub(WC_RNG* rng)
     }
 
     /* check that public export fails with private only key */
-    x = FOURK_BUF;
+    x = sizeof(exportBuf);
     ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0);
     if (ret == 0) {
         ERROR_OUT(-9635, done);
@@ -18404,7 +18353,7 @@ static int ecc_test_make_pub(WC_RNG* rng)
 
     /* make public key for shared secret */
     wc_ecc_init_ex(&pub, HEAP_HINT, devId);
-    ret = wc_ecc_make_key(rng, 32, &pub);
+    ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, &pub);
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &pub.asyncDev, WC_ASYNC_FLAG_NONE);
 #endif
@@ -18413,7 +18362,7 @@ static int ecc_test_make_pub(WC_RNG* rng)
     }
     TEST_SLEEP();
 
-    x = FOURK_BUF;
+    x = sizeof(exportBuf);
     do {
     #if defined(WOLFSSL_ASYNC_CRYPT)
         ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
@@ -18433,9 +18382,6 @@ static int ecc_test_make_pub(WC_RNG* rng)
 
 done:
 
-    XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(exportBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-
     wc_ecc_del_point_h(pubPoint, HEAP_HINT);
     wc_ecc_free(&key);
 
@@ -18492,7 +18438,6 @@ static int ecc_test_key_decode(WC_RNG* rng, int keySize)
 }
 #endif /* HAVE_ECC_KEY_IMPORT */
 
-#ifdef WOLFSSL_KEY_GEN
 static int ecc_test_key_gen(WC_RNG* rng, int keySize)
 {
     int    ret = 0;
@@ -18500,20 +18445,9 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize)
 #ifdef HAVE_PKCS8
     word32 pkcs8Sz;
 #endif
-    byte*  der;
-    byte*  pem;
+    byte der[ECC_BUFSIZE];
     ecc_key userA;
 
-    der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (der == NULL) {
-        return -9638;
-    }
-    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (pem == NULL) {
-        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        return -9639;
-    }
-
     ret = wc_ecc_init_ex(&userA, HEAP_HINT, devId);
     if (ret != 0)
         goto done;
@@ -18531,19 +18465,19 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize)
         goto done;
     TEST_SLEEP();
 
-    derSz = wc_EccKeyToDer(&userA, der, FOURK_BUF);
+    derSz = wc_EccKeyToDer(&userA, der, sizeof(der));
     if (derSz < 0) {
         ERROR_OUT(derSz, done);
     }
 
-    ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, eccCaKeyTempFile,
-            eccCaKeyPemFile, ECC_PRIVATEKEY_TYPE, -8347);
+    ret = SaveDerAndPem(der, derSz, eccCaKeyTempFile, eccCaKeyPemFile, 
+        ECC_PRIVATEKEY_TYPE, -8347);
     if (ret != 0) {
         goto done;
     }
 
     /* test export of public key */
-    derSz = wc_EccPublicKeyToDer(&userA, der, FOURK_BUF, 1);
+    derSz = wc_EccPublicKeyToDer(&userA, der, sizeof(der), 1);
     if (derSz < 0) {
         ERROR_OUT(derSz, done);
     }
@@ -18551,8 +18485,7 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize)
         ERROR_OUT(-9640, done);
     }
 
-    ret = SaveDerAndPem(der, derSz, NULL, 0, eccPubKeyDerFile,
-        NULL, 0, -8348);
+    ret = SaveDerAndPem(der, derSz, eccPubKeyDerFile, NULL, 0, -8348);
     if (ret != 0) {
         goto done;
     }
@@ -18569,8 +18502,7 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize)
         ERROR_OUT(-9641, done);
     }
 
-    ret = SaveDerAndPem(der, derSz, NULL, 0, eccPkcs8KeyDerFile,
-                        NULL, 0, -8349);
+    ret = SaveDerAndPem(der, derSz, eccPkcs8KeyDerFile, NULL, 0, -8349);
     if (ret != 0) {
         goto done;
     }
@@ -18578,13 +18510,10 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize)
 
 done:
 
-    XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     wc_ecc_free(&userA);
 
     return ret;
 }
-#endif /* WOLFSSL_KEY_GEN */
 
 static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount,
     int curve_id, const ecc_set_type* dp)
@@ -18959,7 +18888,6 @@ static int ecc_test_curve(WC_RNG* rng, int keySize)
     }
 #endif
 
-#ifdef WOLFSSL_KEY_GEN
     ret = ecc_test_key_decode(rng, keySize);
     if (ret < 0) {
         if (ret == ECC_CURVE_OID_E) {
@@ -18981,7 +18909,6 @@ static int ecc_test_curve(WC_RNG* rng, int keySize)
             return ret;
         }
     }
-#endif
 
     return 0;
 }
@@ -19491,7 +19418,7 @@ static int ecc_def_curve_test(WC_RNG *rng)
         goto done;
     }
 
-    ret = wc_ecc_make_key(rng, 32, &key);
+    ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, &key);
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_NONE);
 #endif
@@ -19813,22 +19740,23 @@ static int ecc_test_cert_gen(WC_RNG* rng)
 #ifdef WOLFSSL_TEST_CERT
     DecodedCert decode;
 #endif
-    byte*  der;
-    byte*  pem = NULL;
+#ifdef WOLFSSL_SMALL_STACK
+    byte* der = NULL;
+#else
+    byte der[FOURK_BUF];
+#endif
     ecc_key caEccKey;
     ecc_key certPubKey;
 
     XMEMSET(&caEccKey, 0, sizeof(caEccKey));
     XMEMSET(&certPubKey, 0, sizeof(certPubKey));
 
+#ifdef WOLFSSL_SMALL_STACK
     der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     if (der == NULL) {
-        ERROR_OUT(-9817, exit);
-    }
-    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (pem == NULL) {
         ERROR_OUT(-9818, exit);
     }
+#endif
 
     /* Get cert private key */
 #ifdef ENABLE_ECC384_CERT_GEN_TEST
@@ -19879,7 +19807,7 @@ static int ecc_test_cert_gen(WC_RNG* rng)
         ERROR_OUT(-9823, exit);
     }
 
-    ret = wc_ecc_make_key(rng, 32, &certPubKey);
+    ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, &certPubKey);
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &certPubKey.asyncDev, WC_ASYNC_FLAG_NONE);
 #endif
@@ -19979,19 +19907,19 @@ static int ecc_test_cert_gen(WC_RNG* rng)
     FreeDecodedCert(&decode);
 #endif
 
-    ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, certEccDerFile,
-        certEccPemFile, CERT_TYPE, -6735);
+    ret = SaveDerAndPem(der, certSz, certEccDerFile, certEccPemFile, 
+        CERT_TYPE, -6735);
     if (ret != 0) {
         goto exit;
     }
 
 exit:
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
     wc_ecc_free(&certPubKey);
     wc_ecc_free(&caEccKey);
 
-    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-
     return ret;
 }
 #endif /* WOLFSSL_CERT_GEN */
@@ -20008,7 +19936,7 @@ static int ecc_test_allocator(WC_RNG* rng)
         ERROR_OUT(-9833, exit);
     }
 
-    ret = wc_ecc_make_key(rng, 32, key);
+    ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key);
     if (ret != 0) {
         ERROR_OUT(-9834, exit);
     }
@@ -20208,7 +20136,7 @@ int ecc_encrypt_test(void)
     if (ret != 0)
         goto done;
 
-    ret  = wc_ecc_make_key(&rng, 32, &userA);
+    ret  = wc_ecc_make_key(&rng, ECC_KEYGEN_SIZE, &userA);
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_NONE);
 #endif
@@ -20216,7 +20144,7 @@ int ecc_encrypt_test(void)
         ret = -10001; goto done;
     }
 
-    ret = wc_ecc_make_key(&rng, 32, &userB);
+    ret = wc_ecc_make_key(&rng, ECC_KEYGEN_SIZE, &userB);
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &userB.asyncDev, WC_ASYNC_FLAG_NONE);
 #endif
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index 6bdda029b..686d09c29 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -326,6 +326,8 @@ enum Misc_ASN {
                             /* Maximum DER digest size */
     MAX_DER_DIGEST_ASN_SZ = MAX_ENCODED_DIG_ASN_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ,
                             /* Maximum DER digest ASN header size */
+                            /* Max X509 header length indicates the max length + 2 ('\n', '\0') */
+    MAX_X509_HEADER_SZ  = (37 + 2), /* Maximum PEM Header/Footer Size */
 #ifdef WOLFSSL_CERT_GEN
     #ifdef WOLFSSL_CERT_REQ
                           /* Max encoded cert req attributes length */
@@ -377,7 +379,8 @@ enum Misc_ASN {
 
     PKCS5_SALT_SZ       = 8,
 
-    PEM_LINE_LEN       = 80,       /* PEM line max + fudge */
+    PEM_LINE_SZ        = 64,               /* Length of Base64 encoded line, not including new line */
+    PEM_LINE_LEN       = PEM_LINE_SZ + 12, /* PEM line max + fudge */
 };
 
 

From 5fa7bb5b9f20f91750a365bbb8830673331c2804 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 24 Apr 2020 07:48:41 -0700
Subject: [PATCH 3/7] Fix possible unused args.

---
 wolfcrypt/test/test.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 8e405de09..c8b212d2f 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -1350,9 +1350,12 @@ static int _SaveDerAndPem(const byte* der, int derSz,
 #endif /* WOLFSSL_DER_TO_PEM */
 
     /* suppress unused variable warnings */
+    (void)der;
+    (void)derSz;
     (void)filePem;
     (void)fileDer;
     (void)pemType;
+    (void)errBase;
 
     return 0;
 }

From cfc0aeb85757ad3db80d7e2c93abc8a26d2a514f Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 24 Apr 2020 08:56:31 -0700
Subject: [PATCH 4/7] Fix for RSA and KeyGen only in test.c.

---
 wolfcrypt/test/test.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index c8b212d2f..17020f224 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -1282,8 +1282,8 @@ initDefaultName();
 #endif /* NO_MAIN_DRIVER */
 
 /* helper to save DER, convert to PEM and save PEM */
-#if !defined(NO_ASN) && \
-    ((!defined(NO_RSA) && defined(WOLFSSL_CERT_GEN)) || defined(HAVE_ECC))
+#if !defined(NO_ASN) && (defined(HAVE_ECC) || \
+    (!defined(NO_RSA) && (defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN))))
 
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
 #define SaveDerAndPem(d, dSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, fD, fP, pT, eB)

From a4caa42793dee81925269c2a66d099b544f57b9d Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 24 Apr 2020 11:17:54 -0700
Subject: [PATCH 5/7] Improve the Base64 line size for `NO_ASN` case. Fix
 report of unread `ret`.

---
 wolfcrypt/src/asn.c    |  3 +--
 wolfcrypt/src/coding.c | 21 +++++++++++++++------
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 11e58a7cb..2c7facc55 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -15573,10 +15573,9 @@ int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
 
         /* get curve id */
         if ((ret = CheckCurve(oidSum)) < 0)
-            ret = ECC_CURVE_OID_E;
+            return ECC_CURVE_OID_E;
         else {
             curve_id = ret;
-            ret = 0;
         }
     }
 
diff --git a/wolfcrypt/src/coding.c b/wolfcrypt/src/coding.c
index c94efb03e..2a8dcb418 100644
--- a/wolfcrypt/src/coding.c
+++ b/wolfcrypt/src/coding.c
@@ -29,10 +29,11 @@
 #ifndef NO_CODING
 
 #include <wolfssl/wolfcrypt/coding.h>
-#include <wolfssl/wolfcrypt/asn.h> /* For PEM_LINE_SZ */
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
-
+#ifndef NO_ASN
+    #include <wolfssl/wolfcrypt/asn.h> /* For PEM_LINE_SZ */
+#endif
 
 enum {
     BAD         = 0xFF,  /* invalid encoding */
@@ -42,6 +43,14 @@ enum {
 };
 
 
+#ifndef BASE64_LINE_SZ
+    #ifdef NO_ASN
+        #define BASE64_LINE_SZ 64
+    #else
+        #define BASE64_LINE_SZ PEM_LINE_SZ
+    #endif
+#endif
+
 #ifdef WOLFSSL_BASE64_DECODE
 
 static
@@ -91,7 +100,7 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
 {
     word32 i = 0;
     word32 j = 0;
-    word32 plainSz = inLen - ((inLen + (PEM_LINE_SZ - 1)) / PEM_LINE_SZ );
+    word32 plainSz = inLen - ((inLen + (BASE64_LINE_SZ - 1)) / BASE64_LINE_SZ );
     int ret;
     const byte maxIdx = (byte)sizeof(base64Decode) + BASE64_MIN - 1;
 
@@ -291,7 +300,7 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out,
     int    getSzOnly = (out == NULL);
 
     word32 outSz = (inLen + 3 - 1) / 3 * 4;
-    word32 addSz = (outSz + PEM_LINE_SZ - 1) / PEM_LINE_SZ;  /* new lines */
+    word32 addSz = (outSz + BASE64_LINE_SZ - 1) / BASE64_LINE_SZ;  /* new lines */
 
     if (escaped == WC_ESC_NL_ENC)
         addSz *= 3;   /* instead of just \n, we're doing %0A triplet */
@@ -328,8 +337,8 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out,
 
         inLen -= 3;
 
-        /* Insert newline after PEM_LINE_SZ, unless no \n requested */
-        if (escaped != WC_NO_NL_ENC && (++n % (PEM_LINE_SZ/4)) == 0 && inLen) {
+        /* Insert newline after BASE64_LINE_SZ, unless no \n requested */
+        if (escaped != WC_NO_NL_ENC && (++n % (BASE64_LINE_SZ/4)) == 0 && inLen) {
             ret = CEscape(escaped, '\n', out, &i, *outLen, 1, getSzOnly);
             if (ret != 0) break;
         }

From 1e726e19a464d09d7d4064bee3f55a24cb2cc297 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 27 Apr 2020 06:48:41 -0700
Subject: [PATCH 6/7] Fix for XMALLOC cast.

---
 wolfcrypt/test/test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 17020f224..0f495862e 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -1322,7 +1322,7 @@ static int _SaveDerAndPem(const byte* der, int derSz,
         if (pemSz < 0) {
             return pemSz;
         }
-        pem = XMALLOC(pemSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        pem = (byte*)XMALLOC(pemSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         if (pem == NULL) {
             return MEMORY_E;
         }

From 6185e0f477d614adc44da428fe6beb894cd5f7b9 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 27 Apr 2020 11:16:02 -0700
Subject: [PATCH 7/7] Remove execute bit on files.

---
 IDE/Renesas/e2studio/RA6M3G/client-wolfssl/wolfssl_thread_entry.h | 0
 IDE/Renesas/e2studio/RA6M3G/common/ra6m3g/README.md               | 0
 IDE/Renesas/e2studio/RA6M3G/server-wolfssl/wolfssl_thread_entry.h | 0
 src/ssl.c                                                         | 0
 wolfcrypt/benchmark/benchmark.c                                   | 0
 wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs           | 0
 6 files changed, 0 insertions(+), 0 deletions(-)
 mode change 100755 => 100644 IDE/Renesas/e2studio/RA6M3G/client-wolfssl/wolfssl_thread_entry.h
 mode change 100755 => 100644 IDE/Renesas/e2studio/RA6M3G/common/ra6m3g/README.md
 mode change 100755 => 100644 IDE/Renesas/e2studio/RA6M3G/server-wolfssl/wolfssl_thread_entry.h
 mode change 100755 => 100644 src/ssl.c
 mode change 100755 => 100644 wolfcrypt/benchmark/benchmark.c
 mode change 100755 => 100644 wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs

diff --git a/IDE/Renesas/e2studio/RA6M3G/client-wolfssl/wolfssl_thread_entry.h b/IDE/Renesas/e2studio/RA6M3G/client-wolfssl/wolfssl_thread_entry.h
old mode 100755
new mode 100644
diff --git a/IDE/Renesas/e2studio/RA6M3G/common/ra6m3g/README.md b/IDE/Renesas/e2studio/RA6M3G/common/ra6m3g/README.md
old mode 100755
new mode 100644
diff --git a/IDE/Renesas/e2studio/RA6M3G/server-wolfssl/wolfssl_thread_entry.h b/IDE/Renesas/e2studio/RA6M3G/server-wolfssl/wolfssl_thread_entry.h
old mode 100755
new mode 100644
diff --git a/src/ssl.c b/src/ssl.c
old mode 100755
new mode 100644
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
old mode 100755
new mode 100644
diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs
old mode 100755
new mode 100644