From 75c8d873539797c3fd1ee32012b8441e8a2b9850 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Tue, 13 Jun 2023 14:20:34 -0700
Subject: [PATCH 1/2] Fix trusted_ca_keys extension allowed logic.

---
 src/tls.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/tls.c b/src/tls.c
index 656a337ff..1be158e6b 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -13203,15 +13203,16 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType,
             #endif
 
 #ifdef WOLFSSL_TLS13
+                /* RFC 8446 4.2.4 states trusted_ca_keys is not used
+                   in TLS 1.3. */
                 if (IsAtLeastTLSv1_3(ssl->version)) {
-                    if (msgType != client_hello &&
-                        msgType != encrypted_extensions)
-                        return EXT_NOT_ALLOWED;
+                    return EXT_NOT_ALLOWED;
                 }
                 else
 #endif
                 {
-                    if (msgType != client_hello)
+                    if (msgType != client_hello &&
+                        msgType != server_hello)
                         return EXT_NOT_ALLOWED;
                 }
                 ret = TCA_PARSE(ssl, input + offset, size, isRequest);

From e6017dc546286348275613c564eaba0b7c05e4e6 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Wed, 21 Jun 2023 10:35:12 -0700
Subject: [PATCH 2/2] Refactor MAX_X509_SIZE into a define so it can be
 overriden in build settings.

---
 wolfssl/internal.h | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index dbe64dda1..c01913341 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1737,13 +1737,6 @@ enum Misc {
     MAX_WOLFSSL_FILE_SIZE = 1024UL * 1024UL * 4,  /* 4 mb file size alloc limit */
 #endif
 
-#if defined(HAVE_PQC)
-    MAX_X509_SIZE      = 8*1024, /* max static x509 buffer size; dilithium is big */
-#elif defined(WOLFSSL_HAPROXY)
-    MAX_X509_SIZE      = 3072, /* max static x509 buffer size */
-#else
-    MAX_X509_SIZE      = 2048, /* max static x509 buffer size */
-#endif
     CERT_MIN_SIZE      =  256, /* min PEM cert size with header/footer */
 
     NO_SNIFF           =   0,  /* not sniffing */
@@ -1876,6 +1869,15 @@ enum Misc {
 #define SESSIDX_IDX_MASK  0x0F
 #endif
 
+#ifndef MAX_X509_SIZE
+    #if defined(HAVE_PQC)
+        #define MAX_X509_SIZE   (8*1024) /* max static x509 buffer size; dilithium is big */
+    #elif defined(WOLFSSL_HAPROXY)
+        #define MAX_X509_SIZE   3072 /* max static x509 buffer size */
+    #else
+        #define MAX_X509_SIZE   2048 /* max static x509 buffer size */
+    #endif
+#endif
 
 /* max cert chain peer depth */
 #ifndef MAX_CHAIN_DEPTH