allow meta PEM data at end of file too

certs/ca-cert.pem

@@ -1,3 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIEnjCCA4agAwIBAgIJAOnQp195JfQ8MA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHTW9udGFuYTEQMA4GA1UEBxMHQm96ZW1hbjERMA8G
+A1UEChMIU2F3dG9vdGgxEzARBgNVBAsTCkNvbnN1bHRpbmcxFjAUBgNVBAMTDXd3
+dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9AeWFzc2wuY29tMB4XDTEx
+MTAyNDE4MTgxNVoXDTE0MDcyMDE4MTgxNVowgZAxCzAJBgNVBAYTAlVTMRAwDgYD
+VQQIEwdNb250YW5hMRAwDgYDVQQHEwdCb3plbWFuMREwDwYDVQQKEwhTYXd0b290
+aDETMBEGA1UECxMKQ29uc3VsdGluZzEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEd
+MBsGCSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgfSvJNdRDxtjWf38p9A5jTrN4DZu4q
+8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLqypC7aVIQAy+o85XF8YtiVhvvZ2+k
+EEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04KRysx+3yfJWwlYJ9SVw4zXcl772A
+dVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC19pAb9gh3HMbQi1TnP4a/H2rejY/
+mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VWL6Mm0rdvsVoX1ziZCP6TWG/+wxNJ
+CBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u97TZ5AgMBAAGjgfgwgfUwHQYDVR0O
+BBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejVMIHFBgNVHSMEgb0wgbqAFCeOZxF0wyYd
+P+0zY7Ok2B0w5ejVoYGWpIGTMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHTW9u
+dGFuYTEQMA4GA1UEBxMHQm96ZW1hbjERMA8GA1UEChMIU2F3dG9vdGgxEzARBgNV
+BAsTCkNvbnN1bHRpbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG
+9w0BCQEWDmluZm9AeWFzc2wuY29tggkA6dCnX3kl9DwwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOCAQEAX4YU9FGLvKVOMNperJr4bNkmS5P54xyJb57us513
+PokgdqPm6IYVIdviM7I01dCf88Gkh5Jc+dH/MC+OA7yzPAwyo5BfGpAer53zntcH
+Aql9J2ZjL68Y16wYmIyDjzjzC6w2EHX7ynYTUFsCj3O/46Dug1IlVM4mzpy9L3mr
+G2C4kvEDwPw7CNnArdVyCCWAYS3cn6eDYgdH4AdMSwcwBKmHHFV/BxLQy0Jdy89m
+ARoX7vkPYLfbb2jlTkFibtNvYE9LJ97PGAfxE13LP6klRNpSXMgE4VYS9SqQTtHi
+rwG1I6HsMdp7Y2nEuPPnzqE9wNtt87LZRsifw7hwWh9/yg==
+-----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
@@ -58,30 +85,3 @@ Certificate:
         f5:2a:90:4e:d1:e2:af:01:b5:23:a1:ec:31:da:7b:63:69:c4:
         b8:f3:e7:ce:a1:3d:c0:db:6d:f3:b2:d9:46:c8:9f:c3:b8:70:
         5a:1f:7f:ca
------BEGIN CERTIFICATE-----
-MIIEnjCCA4agAwIBAgIJAOnQp195JfQ8MA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD
-VQQGEwJVUzEQMA4GA1UECBMHTW9udGFuYTEQMA4GA1UEBxMHQm96ZW1hbjERMA8G
-A1UEChMIU2F3dG9vdGgxEzARBgNVBAsTCkNvbnN1bHRpbmcxFjAUBgNVBAMTDXd3
-dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9AeWFzc2wuY29tMB4XDTEx
-MTAyNDE4MTgxNVoXDTE0MDcyMDE4MTgxNVowgZAxCzAJBgNVBAYTAlVTMRAwDgYD
-VQQIEwdNb250YW5hMRAwDgYDVQQHEwdCb3plbWFuMREwDwYDVQQKEwhTYXd0b290
-aDETMBEGA1UECxMKQ29uc3VsdGluZzEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEd
-MBsGCSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgfSvJNdRDxtjWf38p9A5jTrN4DZu4q
-8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLqypC7aVIQAy+o85XF8YtiVhvvZ2+k
-EEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04KRysx+3yfJWwlYJ9SVw4zXcl772A
-dVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC19pAb9gh3HMbQi1TnP4a/H2rejY/
-mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VWL6Mm0rdvsVoX1ziZCP6TWG/+wxNJ
-CBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u97TZ5AgMBAAGjgfgwgfUwHQYDVR0O
-BBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejVMIHFBgNVHSMEgb0wgbqAFCeOZxF0wyYd
-P+0zY7Ok2B0w5ejVoYGWpIGTMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHTW9u
-dGFuYTEQMA4GA1UEBxMHQm96ZW1hbjERMA8GA1UEChMIU2F3dG9vdGgxEzARBgNV
-BAsTCkNvbnN1bHRpbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG
-9w0BCQEWDmluZm9AeWFzc2wuY29tggkA6dCnX3kl9DwwDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQUFAAOCAQEAX4YU9FGLvKVOMNperJr4bNkmS5P54xyJb57us513
-PokgdqPm6IYVIdviM7I01dCf88Gkh5Jc+dH/MC+OA7yzPAwyo5BfGpAer53zntcH
-Aql9J2ZjL68Y16wYmIyDjzjzC6w2EHX7ynYTUFsCj3O/46Dug1IlVM4mzpy9L3mr
-G2C4kvEDwPw7CNnArdVyCCWAYS3cn6eDYgdH4AdMSwcwBKmHHFV/BxLQy0Jdy89m
-ARoX7vkPYLfbb2jlTkFibtNvYE9LJ97PGAfxE13LP6klRNpSXMgE4VYS9SqQTtHi
-rwG1I6HsMdp7Y2nEuPPnzqE9wNtt87LZRsifw7hwWh9/yg==
------END CERTIFICATE-----

cyassl/error.h

@@ -104,6 +104,7 @@ enum CyaSSL_ErrorCodes {
     COOKIE_ERROR           = -269,            /* dtls cookie error */
     SEQUENCE_ERROR         = -270,            /* dtls sequence error */
     SUITES_ERROR           = -271,            /* suites pointer error */
+    SSL_NO_PEM_HEADER      = -272,            /* no PEM header found */
     /* add strings to SetErrorString !!!!! */
 
     /* begin negotiation parameter errors */

src/internal.c

@@ -4259,6 +4259,10 @@ void SetErrorString(int error, char* str)
         XSTRNCPY(str, "Suites Pointer Error", max);
         break;
 
+    case SSL_NO_PEM_HEADER:
+        XSTRNCPY(str, "No PEM Header Error", max);
+        break;
+
     default :
         XSTRNCPY(str, "unknown error number", max);
     }

src/ssl.c

@@ -831,8 +831,10 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
         
             headerEnd = XSTRNSTR((char*)buff, header, sz);
         }
-        if (!headerEnd)
-            return SSL_BAD_FILE;
+        if (!headerEnd) {
+            CYASSL_MSG("Couldn't find PEM header");
+            return SSL_NO_PEM_HEADER;
+        }
         headerEnd += XSTRLEN(header);
 
         /* get next line */
@@ -985,6 +987,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
                 word32 bufferSz = sizeof(staticBuffer);
                 long   consumed = info.consumed;
                 word32 idx = 0;
+                int    gotOne = 0;
 
                 if ( (sz - consumed) > (int)bufferSz) {
                     CYASSL_MSG("Growing Tmp Chain Buffer");
@@ -1000,7 +1003,6 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
 
                 CYASSL_MSG("Processing Cert Chain");
                 while (consumed < sz) {
-                    long   left;
                     buffer part;
                     info.consumed = 0;
                     part.buffer = 0;
@@ -1008,6 +1010,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
                     ret = PemToDer(buff + consumed, sz - consumed, type, &part,
                                    ctx->heap, &info, &eccKey);
                     if (ret == 0) {
+                        gotOne = 1;
                         if ( (idx + part.length) > bufferSz) {
                             CYASSL_MSG("   Cert Chain bigger than buffer");
                             ret = BUFFER_E;
@@ -1024,18 +1027,19 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
                     }
 
                     XFREE(part.buffer, ctx->heap, dynamicType);
+
+                    if (ret == SSL_NO_PEM_HEADER && gotOne) {
+                        CYASSL_MSG("We got one good PEM so stuff at end ok");
+                        ret = 0;
+                        break;
+                    }
+
                     if (ret < 0) {
                         CYASSL_MSG("   Error in Cert in Chain");
                         XFREE(der.buffer, ctx->heap, dynamicType);
                         return ret;
                     }
                     CYASSL_MSG("   Consumed another Cert in Chain");
-
-                    left = sz - consumed;
-                    if (left > 0 && left < CERT_MIN_SIZE) {
-                        CYASSL_MSG("   Non Cert at end of file");
-                        break;
-                    }
                 }
                 CYASSL_MSG("Finished Processing Cert Chain");
                 ctx->certChain.buffer = (byte*)XMALLOC(idx, ctx->heap,
@@ -1230,28 +1234,31 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
 static int ProcessChainBuffer(CYASSL_CTX* ctx, const unsigned char* buff,
                             long sz, int format, int type, CYASSL* ssl)
 {
-    long used = 0;
-    int  ret  = 0;
+    long used   = 0;
+    int  ret    = 0;
+    int  gotOne = 0;
 
     CYASSL_MSG("Processing CA PEM file");
     while (used < sz) {
         long consumed = 0;
-        long left;
 
         ret = ProcessBuffer(ctx, buff + used, sz - used, format, type, ssl,
                             &consumed, 0);
+
+        if (ret == SSL_NO_PEM_HEADER && gotOne) {
+            CYASSL_MSG("We got one good PEM file so stuff at end ok");
+            ret = SSL_SUCCESS;
+            break;
+        }
+
         if (ret < 0)
             break;
 
         CYASSL_MSG("   Processed a CA");
+        gotOne = 1;
         used += consumed;
-
-        left = sz - used;
-        if (left > 0 && left < CERT_MIN_SIZE) { /* non cert stuff at eof */
-            CYASSL_MSG("   Non CA cert at eof");
-            break;
-        }
     }
+
     return ret;
 }