From 10d5d599774d9b840da9d75ad27d3dc9725d661c Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Fri, 14 Feb 2025 12:19:12 -0600
Subject: [PATCH] add .github/workflows/opensslcoexist.yml.  fix
 TEST_OPENSSL_COEXIST section of wolfssl/ssl.h for compatibility with OpenSSL
 <3.2.  also, remove frivolous entry for WOLFSSL_HMAC_COPY_HASH in
 .wolfssl_known_macro_extras.

---
 .github/workflows/opensslcoexist.yml | 50 ++++++++++++++++++++++++++++
 .wolfssl_known_macro_extras          |  1 -
 wolfssl/ssl.h                        | 35 ++++++++++---------
 3 files changed, 70 insertions(+), 16 deletions(-)
 create mode 100644 .github/workflows/opensslcoexist.yml

diff --git a/.github/workflows/opensslcoexist.yml b/.github/workflows/opensslcoexist.yml
new file mode 100644
index 000000000..1b59bec85
--- /dev/null
+++ b/.github/workflows/opensslcoexist.yml
@@ -0,0 +1,50 @@
+name: OPENSSL_COEXIST and TEST_OPENSSL_COEXIST
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_check:
+    strategy:
+      matrix:
+        config: [
+          # Add new configs here
+          '--verbose --enable-all --disable-all-osp --disable-opensslall --enable-opensslcoexist CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -pedantic"',
+          '--verbose --enable-all --disable-all-osp --disable-opensslall --enable-opensslcoexist CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -pedantic -DTEST_OPENSSL_COEXIST"'
+        ]
+    name: make check
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test --enable-opensslcoexist and TEST_OPENSSL_COEXIST
+        run: |
+          ./autogen.sh || $(exit 2)
+          ./configure ${{ matrix.config }} || $(exit 3)
+          make -j 4 || $(exit 4)
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          for file in config.log scripts/*.log
+          do
+              if [ -f "$file" ]; then
+                  echo "${file}:"
+                  cat "$file"
+                  echo "========================================================================"
+              fi
+          done
diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index 6eabf575a..cf9b3109a 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -651,7 +651,6 @@ WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS
 WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC
 WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK
 WOLFSSL_HARDEN_TLS_NO_SCR_CHECK
-WOLFSSL_HMAC_COPY_HASH
 WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
 WOLFSSL_I2D_ECDSA_SIG_ALLOC
 WOLFSSL_IAR_ARM_TIME
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index d9622b9bc..1c46f2b35 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -117,7 +117,6 @@
         #include <openssl/hmac.h>
         #include <openssl/bn.h>
         #include <openssl/crypto.h>
-
         #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
             FIPS_VERSION3_GE(5,2,0))
         #include <openssl/aes.h>
@@ -125,24 +124,15 @@
         #include <openssl/camellia.h>
         #include <openssl/cast.h>
         #include <openssl/cmac.h>
-        #include <openssl/cmp.h>
         #include <openssl/cms.h>
         #include <openssl/conf_api.h>
-        #include <openssl/core_object.h>
-        #include <openssl/decoder.h>
         #include <openssl/des.h>
         #include <openssl/dh.h>
         #include <openssl/dsa.h>
         #include <openssl/ecdh.h>
         #include <openssl/ecdsa.h>
-        #include <openssl/encoder.h>
         #include <openssl/engine.h>
-        #include <openssl/ess.h>
-        #include <openssl/fipskey.h>
-        #include <openssl/fips_names.h>
         #include <openssl/hmac.h>
-        #include <openssl/hpke.h>
-        #include <openssl/http.h>
         #include <openssl/idea.h>
         #include <openssl/kdf.h>
         #include <openssl/md2.h>
@@ -152,14 +142,10 @@
         #include <openssl/modes.h>
         #include <openssl/ocsp.h>
         #include <openssl/ossl_typ.h>
-        #include <openssl/param_build.h>
-        #include <openssl/params.h>
         #include <openssl/pem2.h>
         #include <openssl/pem.h>
         #include <openssl/pkcs12.h>
         #include <openssl/pkcs7.h>
-        #include <openssl/proverr.h>
-        #include <openssl/provider.h>
         #include <openssl/rand.h>
         #include <openssl/rc2.h>
         #include <openssl/rc4.h>
@@ -171,7 +157,6 @@
             #undef RSA_PKCS1_PADDING_SIZE
         #endif
         #include <openssl/seed.h>
-        #include <openssl/self_test.h>
         #include <openssl/sha.h>
         #include <openssl/srp.h>
         #include <openssl/srtp.h>
@@ -180,6 +165,26 @@
         #include <openssl/txt_db.h>
         #include <openssl/ui.h>
         #include <openssl/whrlpool.h>
+
+        #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+        #include <openssl/cmp.h>
+        #include <openssl/core_object.h>
+        #include <openssl/decoder.h>
+        #include <openssl/encoder.h>
+        #include <openssl/ess.h>
+        #include <openssl/fipskey.h>
+        #include <openssl/fips_names.h>
+        #if OPENSSL_VERSION_NUMBER >= 0x30200000L
+        #include <openssl/hpke.h>
+        #endif
+        #include <openssl/http.h>
+        #include <openssl/param_build.h>
+        #include <openssl/params.h>
+        #include <openssl/proverr.h>
+        #include <openssl/provider.h>
+        #include <openssl/self_test.h>
+        #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+
         #endif /* !HAVE_SELFTEST && (!HAVE_FIPS || FIPS_VERSION3_GE(5,2,0)) */
 
     #endif