From 46b061c7bc6eab954e880cda21b9ac74f86494e0 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Tue, 3 Aug 2021 17:52:30 +0200
Subject: [PATCH 1/3] Include stuff needed for EAP in hostap

Patch that includes the API needed for EAP in hostapd and wpa_supplicant
---
 configure.ac       |  6 +++---
 src/internal.c     |  4 ++--
 src/ssl.c          | 29 +++++++++++++++++++++++++----
 tests/api.c        |  4 +++-
 wolfssl/internal.h |  2 +-
 wolfssl/ssl.h      |  2 +-
 6 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/configure.ac b/configure.ac
index 710998c5e..0d006e2ee 100644
--- a/configure.ac
+++ b/configure.ac
@@ -974,7 +974,7 @@ if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "x$ENABLED_OPENSSLCOEXIST" = "xn
 then
   AM_CFLAGS="-DOPENSSL_EXTRA -DWOLFSSL_ALWAYS_VERIFY_CB $AM_CFLAGS"
   AM_CFLAGS="-DWOLFSSL_VERIFY_CB_ALL_CERTS -DWOLFSSL_EXTRA_ALERTS $AM_CFLAGS"
-  AM_CFLAGS="-DHAVE_EXT_CACHE $AM_CFLAGS"
+  AM_CFLAGS="-DHAVE_EXT_CACHE -DWOLFSSL_FORCE_CACHE_ON_TICKET $AM_CFLAGS"
 fi
 
 if test "$ENABLED_OPENSSLEXTRA" = "x509small"
@@ -1037,8 +1037,6 @@ fi
 if test "$ENABLED_WPAS" = "small"
 then
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WPAS_SMALL"
-    AM_CFLAGS="$AM_CFLAGS -DKEEP_OUR_CERT"
-    AM_CFLAGS="$AM_CFLAGS -DKEEP_PEER_CERT"
 fi
 if test "$ENABLED_WPAS" = "yes"
 then
@@ -1060,6 +1058,8 @@ then
     AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER"
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"
+    AM_CFLAGS="$AM_CFLAGS -DKEEP_OUR_CERT"
+    AM_CFLAGS="$AM_CFLAGS -DKEEP_PEER_CERT"
 fi
 
 if test "$ENABLED_FORTRESS" = "yes"
diff --git a/src/internal.c b/src/internal.c
index 5d6a8fe3a..8e4a2e030 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -13187,7 +13187,7 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size,
         ssl->secure_renegotiation->verifySet = 1;
     }
 #endif
-#ifdef OPENSSL_ALL
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS)
     if (ssl->options.side == WOLFSSL_CLIENT_END)
         XMEMCPY(ssl->serverFinished,
                 input + *inOutIdx, TLS_FINISHED_SZ);
@@ -17978,7 +17978,7 @@ int SendFinished(WOLFSSL* ssl)
                     TLS_FINISHED_SZ);
     }
 #endif
-#ifdef OPENSSL_ALL
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS)
     if (ssl->options.side == WOLFSSL_CLIENT_END)
         XMEMCPY(ssl->clientFinished,
                 hashes, TLS_FINISHED_SZ);
diff --git a/src/ssl.c b/src/ssl.c
index e0875ef87..c0cbdb211 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -14084,7 +14084,14 @@ WOLFSSL_SESSION* GetSession(WOLFSSL* ssl, byte* masterSecret,
 
     (void)       restoreSessionCerts;
 
-    if (ssl->options.sessionCacheOff)
+    if (ssl->options.sessionCacheOff
+#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_FORCE_CACHE_ON_TICKET)
+            && ssl->session.ticketLen == 0
+#endif
+#ifdef OPENSSL_EXTRA
+            && ssl->options.side != WOLFSSL_CLIENT_END
+#endif
+            )
         return NULL;
 
     if (ssl->options.haveSessionId == 0)
@@ -14291,7 +14298,14 @@ static int GetDeepCopySession(WOLFSSL* ssl, WOLFSSL_SESSION* copyFrom)
 
 int SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)
 {
-    if (ssl == NULL || ssl->options.sessionCacheOff)
+    if (ssl == NULL || (ssl->options.sessionCacheOff
+#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_FORCE_CACHE_ON_TICKET)
+            && session->ticketLen == 0
+#endif
+#ifdef OPENSSL_EXTRA
+            && ssl->options.side != WOLFSSL_CLIENT_END
+#endif
+            ))
         return WOLFSSL_FAILURE;
 
 #ifdef OPENSSL_EXTRA
@@ -14356,7 +14370,14 @@ int AddSession(WOLFSSL* ssl)
     int cbRet = 0;
 #endif
 
-    if (ssl->options.sessionCacheOff)
+    if (ssl->options.sessionCacheOff
+#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_FORCE_CACHE_ON_TICKET)
+            && ssl->session.ticketLen == 0
+#endif
+#ifdef OPENSSL_EXTRA
+            && ssl->options.side != WOLFSSL_CLIENT_END
+#endif
+            )
         return 0;
 
     if (ssl->options.haveSessionId == 0)
@@ -27259,7 +27280,7 @@ int wolfSSL_i2d_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT *a, unsigned char **pp)
     return a->objSz;
 }
 
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY)
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS)
 WOLFSSL_API size_t wolfSSL_get_finished(const WOLFSSL *ssl, void *buf, size_t count)
 {
     WOLFSSL_ENTER("SSL_get_finished");
diff --git a/tests/api.c b/tests/api.c
index 556777871..e353ea09a 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -23448,6 +23448,7 @@ static int test_wc_ecc_pointFns (void)
 
     printf(resultFmt, ret == 0 ? passed : failed);
 
+#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2))
 #ifdef USE_ECC_B_PARAM
     printf(testingFmt, "wc_ecc_point_is_on_curve()");
     /* On curve if ret == 0 */
@@ -23468,6 +23469,7 @@ static int test_wc_ecc_pointFns (void)
     }
     printf(resultFmt, ret == 0 ? passed : failed);
 #endif /* USE_ECC_B_PARAM */
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 
     /* Free */
     wc_ecc_del_point(point);
@@ -30971,7 +30973,7 @@ static void test_wolfSSL_Tls13_Key_Logging_test(void)
 
     printf(resultFmt, passed);
 
-#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */
+#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && WOLFSSL_TLS13 */
 }
 
 static void test_wolfSSL_X509_NID(void)
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index bfdb605c8..e25bdbd6c 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -4478,7 +4478,7 @@ struct WOLFSSL {
 #ifdef WOLFSSL_STATIC_EPHEMERAL
     StaticKeyExchangeInfo_t staticKE;
 #endif
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY)
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS)
     /* Added in libest port: allow applications to get the 'tls-unique' Channel
      * Binding Type (https://tools.ietf.org/html/rfc5929#section-3). This is
      * used in the EST protocol to bind an enrollment to a TLS session through
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index d9b0812fe..99bf5e4e7 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -4408,7 +4408,7 @@ WOLFSSL_API int wolfSSL_X509_check_email(WOLFSSL_X509 *x, const char *chk,
 #endif /* OPENSSL_EXTRA && WOLFSSL_CERT_GEN */
 
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS)
 WOLFSSL_API const unsigned char *SSL_SESSION_get0_id_context(
         const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length);
 WOLFSSL_API size_t wolfSSL_get_finished(const WOLFSSL *ssl, void *buf, size_t count);

From 2cd499d2df6d20fb0062f5d3ff43bc3fda5986ec Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Tue, 3 Aug 2021 15:56:32 +0200
Subject: [PATCH 2/3] Refactor session cache on checking into function

---
 src/ssl.c | 44 +++++++++++++++++++-------------------------
 1 file changed, 19 insertions(+), 25 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index c0cbdb211..b32164b45 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -14072,6 +14072,22 @@ static WC_INLINE void RestoreSession(WOLFSSL* ssl, WOLFSSL_SESSION* session,
 #endif
 }
 
+static int SslSessionCacheOn(const WOLFSSL* ssl, const WOLFSSL_SESSION* session)
+{
+    (void)session;
+    if (ssl->options.sessionCacheOff
+    #if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_FORCE_CACHE_ON_TICKET)
+                && session->ticketLen == 0
+    #endif
+    #ifdef OPENSSL_EXTRA
+                && ssl->options.side != WOLFSSL_CLIENT_END
+    #endif
+                )
+        return WOLFSSL_FAILURE;
+    else
+        return WOLFSSL_SUCCESS;
+}
+
 WOLFSSL_SESSION* GetSession(WOLFSSL* ssl, byte* masterSecret,
         byte restoreSessionCerts)
 {
@@ -14084,14 +14100,7 @@ WOLFSSL_SESSION* GetSession(WOLFSSL* ssl, byte* masterSecret,
 
     (void)       restoreSessionCerts;
 
-    if (ssl->options.sessionCacheOff
-#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_FORCE_CACHE_ON_TICKET)
-            && ssl->session.ticketLen == 0
-#endif
-#ifdef OPENSSL_EXTRA
-            && ssl->options.side != WOLFSSL_CLIENT_END
-#endif
-            )
+    if (!SslSessionCacheOn(ssl, &ssl->session))
         return NULL;
 
     if (ssl->options.haveSessionId == 0)
@@ -14295,17 +14304,9 @@ static int GetDeepCopySession(WOLFSSL* ssl, WOLFSSL_SESSION* copyFrom)
     return ret;
 }
 
-
 int SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)
 {
-    if (ssl == NULL || (ssl->options.sessionCacheOff
-#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_FORCE_CACHE_ON_TICKET)
-            && session->ticketLen == 0
-#endif
-#ifdef OPENSSL_EXTRA
-            && ssl->options.side != WOLFSSL_CLIENT_END
-#endif
-            ))
+    if (ssl == NULL || !SslSessionCacheOn(ssl, session))
         return WOLFSSL_FAILURE;
 
 #ifdef OPENSSL_EXTRA
@@ -14370,14 +14371,7 @@ int AddSession(WOLFSSL* ssl)
     int cbRet = 0;
 #endif
 
-    if (ssl->options.sessionCacheOff
-#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_FORCE_CACHE_ON_TICKET)
-            && ssl->session.ticketLen == 0
-#endif
-#ifdef OPENSSL_EXTRA
-            && ssl->options.side != WOLFSSL_CLIENT_END
-#endif
-            )
+    if (!SslSessionCacheOn(ssl, &ssl->session))
         return 0;
 
     if (ssl->options.haveSessionId == 0)

From e583d0ab767e4d5338bb976eb3adcbb45a61f1cd Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Thu, 12 Aug 2021 13:52:25 +0200
Subject: [PATCH 3/3] SslSessionCacheOn -> SslSessionCacheOff

---
 src/ssl.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index b32164b45..a7e8bf277 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -14072,20 +14072,17 @@ static WC_INLINE void RestoreSession(WOLFSSL* ssl, WOLFSSL_SESSION* session,
 #endif
 }
 
-static int SslSessionCacheOn(const WOLFSSL* ssl, const WOLFSSL_SESSION* session)
+static int SslSessionCacheOff(const WOLFSSL* ssl, const WOLFSSL_SESSION* session)
 {
     (void)session;
-    if (ssl->options.sessionCacheOff
+    return ssl->options.sessionCacheOff
     #if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_FORCE_CACHE_ON_TICKET)
                 && session->ticketLen == 0
     #endif
     #ifdef OPENSSL_EXTRA
                 && ssl->options.side != WOLFSSL_CLIENT_END
     #endif
-                )
-        return WOLFSSL_FAILURE;
-    else
-        return WOLFSSL_SUCCESS;
+                ;
 }
 
 WOLFSSL_SESSION* GetSession(WOLFSSL* ssl, byte* masterSecret,
@@ -14100,7 +14097,7 @@ WOLFSSL_SESSION* GetSession(WOLFSSL* ssl, byte* masterSecret,
 
     (void)       restoreSessionCerts;
 
-    if (!SslSessionCacheOn(ssl, &ssl->session))
+    if (SslSessionCacheOff(ssl, &ssl->session))
         return NULL;
 
     if (ssl->options.haveSessionId == 0)
@@ -14306,7 +14303,7 @@ static int GetDeepCopySession(WOLFSSL* ssl, WOLFSSL_SESSION* copyFrom)
 
 int SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)
 {
-    if (ssl == NULL || !SslSessionCacheOn(ssl, session))
+    if (ssl == NULL || SslSessionCacheOff(ssl, session))
         return WOLFSSL_FAILURE;
 
 #ifdef OPENSSL_EXTRA
@@ -14371,7 +14368,7 @@ int AddSession(WOLFSSL* ssl)
     int cbRet = 0;
 #endif
 
-    if (!SslSessionCacheOn(ssl, &ssl->session))
+    if (SslSessionCacheOff(ssl, &ssl->session))
         return 0;
 
     if (ssl->options.haveSessionId == 0)