From 38f466bdfe2db37e13deb415f21f1cb0fc2d2eb5 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Fri, 27 Dec 2019 17:48:34 +0100
Subject: [PATCH 1/4] Keep untrustedDepth = 0 for self signed certs

---
 src/internal.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 163395cf9..7590e87b2 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -10151,7 +10151,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
 
                 #ifdef OPENSSL_EXTRA
                     /* Determine untrusted depth */
-                    if (!alreadySigner) {
+                    if (!alreadySigner && (!args->dCert ||
+                            !args->dCertInit || !args->dCert->selfSigned)) {
                         args->untrustedDepth = 1;
                     }
                 #endif

From 1bf6eb466fa6fd38e591c04def73e2004550ff5f Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Mon, 30 Dec 2019 19:08:59 +0100
Subject: [PATCH 2/4] CRL extensions are optional so ext errors should be
 skipped

---
 wolfcrypt/src/asn.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 8b510bff4..582654aed 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -16130,8 +16130,8 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
     if (ParseCRL_CertList(dcrl, buff, &idx, idx + len) < 0)
         return ASN_PARSE_E;
 
-    if (ParseCRL_Extensions(dcrl, buff, &idx, idx + len) < 0)
-        return ASN_PARSE_E;
+    /* CRL Extensions optional, ignoring errors */
+    ParseCRL_Extensions(dcrl, buff, &idx, idx + len);
 
     idx = dcrl->sigIndex;
 

From 443b7ed0c454574174de00f6fb7b3d7f6caef608 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Thu, 2 Jan 2020 10:52:02 +0100
Subject: [PATCH 3/4] Accept newline and null teminator at end of X509
 certificate

---
 src/ssl.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index fc2aa63bf..7910e9d3f 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -35453,7 +35453,8 @@ err:
     #define PEM_END_SZ             9
     #define PEM_HDR_FIN            "-----"
     #define PEM_HDR_FIN_SZ         5
-    #define PEM_HDR_FIN_EOL        "-----\n"
+    #define PEM_HDR_FIN_EOL_NEWLINE   "-----\n"
+    #define PEM_HDR_FIN_EOL_NULL_TERM "-----\0"
     #define PEM_HDR_FIN_EOL_SZ     6
 
     int wolfSSL_PEM_read_bio(WOLFSSL_BIO* bio, char **name, char **header,
@@ -35589,8 +35590,12 @@ err:
                 ret = WOLFSSL_FAILURE;
         }
         if (ret == WOLFSSL_SUCCESS) {
-            if (XSTRNCMP(pem + PEM_END_SZ + nameLen, PEM_HDR_FIN_EOL,
-                                                     PEM_HDR_FIN_EOL_SZ) != 0) {
+            if (XSTRNCMP(pem + PEM_END_SZ + nameLen,
+                    PEM_HDR_FIN_EOL_NEWLINE,
+                    PEM_HDR_FIN_EOL_SZ) != 0 &&
+                XSTRNCMP(pem + PEM_END_SZ + nameLen,
+                        PEM_HDR_FIN_EOL_NULL_TERM,
+                        PEM_HDR_FIN_EOL_SZ) != 0) {
                 ret = WOLFSSL_FAILURE;
             }
         }
@@ -35654,8 +35659,8 @@ err:
         if (!err)
             err = wolfSSL_BIO_write(bio, name, nameLen) != nameLen;
         if (!err) {
-            err = wolfSSL_BIO_write(bio, PEM_HDR_FIN_EOL, PEM_HDR_FIN_EOL_SZ) !=
-                                                        (int)PEM_HDR_FIN_EOL_SZ;
+            err = wolfSSL_BIO_write(bio, PEM_HDR_FIN_EOL_NEWLINE,
+                    PEM_HDR_FIN_EOL_SZ) != (int)PEM_HDR_FIN_EOL_SZ;
         }
         if (!err && headerLen > 0) {
             err = wolfSSL_BIO_write(bio, header, headerLen) != headerLen;
@@ -35672,8 +35677,8 @@ err:
         if (!err)
             err = wolfSSL_BIO_write(bio, name, nameLen) != nameLen;
         if (!err) {
-            err = wolfSSL_BIO_write(bio, PEM_HDR_FIN_EOL, PEM_HDR_FIN_EOL_SZ) !=
-                                                        (int)PEM_HDR_FIN_EOL_SZ;
+            err = wolfSSL_BIO_write(bio, PEM_HDR_FIN_EOL_NEWLINE,
+                    PEM_HDR_FIN_EOL_SZ) != (int)PEM_HDR_FIN_EOL_SZ;
         }
 
         if (!err) {

From e0ab92058ba8610c60d08ec520dd2d99c8b63221 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Tue, 7 Jan 2020 11:55:07 +0100
Subject: [PATCH 4/4] Check CRL extension errors but don't require them

---
 wolfcrypt/src/asn.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 582654aed..01e30541f 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -16030,14 +16030,17 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
 
     idx = *inOutIdx;
 
+    /* CRL Extensions are optional */
     if ((idx + 1) > sz)
-        return BUFFER_E;
+        return 0;
 
+    /* CRL Extensions are optional */
     if (GetASNTag(buf, &idx, &tag, sz) < 0)
-        return ASN_PARSE_E;
+        return 0;
 
+    /* CRL Extensions are optional */
     if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
-        return ASN_PARSE_E;
+        return 0;
 
     if (GetLength(buf, &idx, &length, sz) < 0)
         return ASN_PARSE_E;
@@ -16130,8 +16133,8 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
     if (ParseCRL_CertList(dcrl, buff, &idx, idx + len) < 0)
         return ASN_PARSE_E;
 
-    /* CRL Extensions optional, ignoring errors */
-    ParseCRL_Extensions(dcrl, buff, &idx, idx + len);
+    if (ParseCRL_Extensions(dcrl, buff, &idx, idx + len) < 0)
+        return ASN_PARSE_E;
 
     idx = dcrl->sigIndex;