From 6dbc1cb75d3ea4eb9b1fbd784e98f8f8e3ebaa9b Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 25 Sep 2020 14:26:30 -0700
Subject: [PATCH 1/5] Add support for TLS v1.3 compatibility API
 `SSL_verify_client_post_handshake` for the server-side to support
 rehandshake. Required for Apache v2.4.39 with TLS v1.3.

---
 src/ssl.c             | 24 ++++++++++++++++++++++++
 wolfssl/openssl/ssl.h |  1 +
 wolfssl/ssl.h         |  2 ++
 3 files changed, 27 insertions(+)

diff --git a/src/ssl.c b/src/ssl.c
index a6b0f90f4..caa0a4fb8 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -10357,6 +10357,30 @@ void wolfSSL_set_verify_result(WOLFSSL *ssl, long v)
 #endif
 }
 
+/* For TLS v1.3 perform rehandshake. Returns 1=WOLFSSL_SUCCESS or 0=WOLFSSL_FAILURE */
+int wolfSSL_verify_client_post_handshake(WOLFSSL* ssl)
+{
+    int ret = NOT_COMPILED_IN;
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
+    (!defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT))
+    #ifndef NO_WOLFSSL_SERVER
+    if (ssl->options.side == WOLFSSL_SERVER_END) {
+        ret = wolfSSL_request_certificate(ssl);
+    }
+    #endif
+    #ifndef NO_WOLFSSL_CLIENT
+    if (ssl->options.side == WOLFSSL_CLIENT_END) {
+        ret = wolfSSL_allow_post_handshake_auth(ssl);
+    }
+    #endif
+#else
+    (void)ssl;
+#endif
+    ret = (ret == 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
+    
+    return ret;
+}
+
 /* store user ctx for verify callback */
 void wolfSSL_SetCertCbCtx(WOLFSSL* ssl, void* ctx)
 {
diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h
index 17ce61311..bb84756ee 100644
--- a/wolfssl/openssl/ssl.h
+++ b/wolfssl/openssl/ssl.h
@@ -279,6 +279,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define SSL_CTX_set_cert_verify_callback wolfSSL_CTX_set_cert_verify_callback
 #define SSL_set_verify                  wolfSSL_set_verify
 #define SSL_set_verify_result           wolfSSL_set_verify_result
+#define SSL_verify_client_post_handshake wolfSSL_verify_client_post_handshake
 #define SSL_pending                     wolfSSL_pending
 #define SSL_load_error_strings          wolfSSL_load_error_strings
 #define SSL_library_init                wolfSSL_library_init
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 8af089fba..e73428931 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -974,6 +974,8 @@ WOLFSSL_API void wolfSSL_CTX_set_cert_verify_callback(WOLFSSL_CTX* ctx,
 
 WOLFSSL_API void wolfSSL_set_verify(WOLFSSL*, int, VerifyCallback verify_callback);
 WOLFSSL_API void wolfSSL_set_verify_result(WOLFSSL*, long);
+WOLFSSL_API int  wolfSSL_verify_client_post_handshake(WOLFSSL*);
+
 WOLFSSL_API void wolfSSL_SetCertCbCtx(WOLFSSL*, void*);
 
 WOLFSSL_ABI WOLFSSL_API int  wolfSSL_pending(WOLFSSL*);

From a50e88430f93c60350749a9dd219b9df5fa11eef Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 28 Sep 2020 13:25:44 -0700
Subject: [PATCH 2/5] Add `OPENSSL_init_crypto` and `OPENSSL_init_ssl` API's.

---
 src/ssl.c                | 14 ++++++++++++++
 wolfssl/openssl/crypto.h | 19 ++++++++++++-------
 wolfssl/openssl/ssl.h    |  4 ++++
 3 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index caa0a4fb8..8b2e0095e 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -31584,6 +31584,20 @@ void *wolfSSL_OPENSSL_malloc(size_t a)
   return XMALLOC(a, NULL, DYNAMIC_TYPE_OPENSSL);
 }
 
+int wolfSSL_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+{
+    (void)opts;
+    (void)settings;
+    return wolfSSL_library_init();
+}
+
+int wolfSSL_OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS* settings)
+{
+    (void)opts;
+    (void)settings;
+    return wolfSSL_library_init();
+}
+
 #if defined(WOLFSSL_KEY_GEN) && defined(WOLFSSL_PEM_TO_DER)
 
 static int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher,
diff --git a/wolfssl/openssl/crypto.h b/wolfssl/openssl/crypto.h
index fe2bb7d94..7b1dab137 100644
--- a/wolfssl/openssl/crypto.h
+++ b/wolfssl/openssl/crypto.h
@@ -24,10 +24,11 @@
 #ifndef WOLFSSL_CRYPTO_H_
 #define WOLFSSL_CRYPTO_H_
 
-#include <wolfssl/openssl/opensslv.h>
-
 #include <wolfssl/wolfcrypt/settings.h>
 
+#include <wolfssl/openssl/opensslv.h>
+#include <wolfssl/openssl/conf.h>
+
 #ifdef WOLFSSL_PREFIX
 #include "prefix_crypto.h"
 #endif
@@ -40,6 +41,8 @@ WOLFSSL_API unsigned long wolfSSL_OpenSSL_version_num(void);
 #ifdef OPENSSL_EXTRA
 WOLFSSL_API void wolfSSL_OPENSSL_free(void*);
 WOLFSSL_API void *wolfSSL_OPENSSL_malloc(size_t a);
+
+WOLFSSL_API int wolfSSL_OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
 #endif
 
 #define CRYPTO_THREADID void
@@ -62,11 +65,13 @@ WOLFSSL_API void *wolfSSL_OPENSSL_malloc(size_t a);
 #define OPENSSL_free wolfSSL_OPENSSL_free
 #define OPENSSL_malloc wolfSSL_OPENSSL_malloc
 
-#ifdef WOLFSSL_QT
-    #define OPENSSL_INIT_ADD_ALL_CIPHERS    0x00000004L
-    #define OPENSSL_INIT_ADD_ALL_DIGESTS    0x00000008L
-    #define OPENSSL_INIT_LOAD_CONFIG        0x00000040L
-#endif
+#define OPENSSL_INIT_ENGINE_ALL_BUILTIN 0x00000001L
+#define OPENSSL_INIT_ADD_ALL_CIPHERS    0x00000004L
+#define OPENSSL_INIT_ADD_ALL_DIGESTS    0x00000008L
+#define OPENSSL_INIT_LOAD_CONFIG        0x00000040L
+
+#define OPENSSL_init_crypto wolfSSL_OPENSSL_init_crypto
+
 
 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
     defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)
diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h
index bb84756ee..ce9e538b4 100644
--- a/wolfssl/openssl/ssl.h
+++ b/wolfssl/openssl/ssl.h
@@ -67,6 +67,9 @@
     #undef ASN1_INTEGER
 #endif
 
+#ifdef OPENSSL_EXTRA
+WOLFSSL_API int wolfSSL_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
+#endif
 
 typedef WOLFSSL          SSL;
 typedef WOLFSSL_SESSION  SSL_SESSION;
@@ -283,6 +286,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define SSL_pending                     wolfSSL_pending
 #define SSL_load_error_strings          wolfSSL_load_error_strings
 #define SSL_library_init                wolfSSL_library_init
+#define OPENSSL_init_ssl                wolfSSL_OPENSSL_init_ssl
 #define OpenSSL_add_ssl_algorithms      wolfSSL_library_init
 #define SSL_CTX_set_session_cache_mode  wolfSSL_CTX_set_session_cache_mode
 #define SSL_CTX_set_cipher_list         wolfSSL_CTX_set_cipher_list

From 685a35e0970812d5de874c8c2c91cc8371d49380 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 23 Oct 2020 13:42:25 -0700
Subject: [PATCH 3/5] Add missing stdint.h reference.

---
 wolfssl/openssl/crypto.h | 2 ++
 wolfssl/openssl/ssl.h    | 1 +
 2 files changed, 3 insertions(+)

diff --git a/wolfssl/openssl/crypto.h b/wolfssl/openssl/crypto.h
index 7b1dab137..6b701aaec 100644
--- a/wolfssl/openssl/crypto.h
+++ b/wolfssl/openssl/crypto.h
@@ -39,6 +39,8 @@ WOLFSSL_API unsigned long wolfSSLeay(void);
 WOLFSSL_API unsigned long wolfSSL_OpenSSL_version_num(void);
 
 #ifdef OPENSSL_EXTRA
+#include <stdint.h>
+
 WOLFSSL_API void wolfSSL_OPENSSL_free(void*);
 WOLFSSL_API void *wolfSSL_OPENSSL_malloc(size_t a);
 
diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h
index ce9e538b4..e2673048e 100644
--- a/wolfssl/openssl/ssl.h
+++ b/wolfssl/openssl/ssl.h
@@ -68,6 +68,7 @@
 #endif
 
 #ifdef OPENSSL_EXTRA
+#include <stdint.h>
 WOLFSSL_API int wolfSSL_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
 #endif
 

From 3b4ec74174f340e2dfc075f7818ab3f210876e3c Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 4 Nov 2020 15:05:50 -0800
Subject: [PATCH 4/5] Fixes for openssl compatibility. Added
 `SSL_CTX_set_post_handshake_auth` and `SSL_set_post_handshake_auth` API's for
 enabling or disabling post handshake authentication for TLS v1.3.

---
 src/ssl.c             | 44 +++++++++++++++++++++++--------------------
 wolfssl/openssl/ssl.h |  2 ++
 wolfssl/ssl.h         |  6 ++++++
 3 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 8b2e0095e..3cd5b09a4 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -10357,30 +10357,34 @@ void wolfSSL_set_verify_result(WOLFSSL *ssl, long v)
 #endif
 }
 
-/* For TLS v1.3 perform rehandshake. Returns 1=WOLFSSL_SUCCESS or 0=WOLFSSL_FAILURE */
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
+    defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+/* For TLS v1.3 send handshake messages after handshake completes. */
+/* Returns 1=WOLFSSL_SUCCESS or 0=WOLFSSL_FAILURE */
 int wolfSSL_verify_client_post_handshake(WOLFSSL* ssl)
 {
-    int ret = NOT_COMPILED_IN;
-#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
-    (!defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT))
-    #ifndef NO_WOLFSSL_SERVER
-    if (ssl->options.side == WOLFSSL_SERVER_END) {
-        ret = wolfSSL_request_certificate(ssl);
-    }
-    #endif
-    #ifndef NO_WOLFSSL_CLIENT
-    if (ssl->options.side == WOLFSSL_CLIENT_END) {
-        ret = wolfSSL_allow_post_handshake_auth(ssl);
-    }
-    #endif
-#else
-    (void)ssl;
-#endif
-    ret = (ret == 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
-    
-    return ret;
+    int ret = wolfSSL_request_certificate(ssl);
+    return (ret == 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
 }
 
+void wolfSSL_CTX_set_post_handshake_auth(WOLFSSL_CTX* ctx, int val)
+{
+    int ret = wolfSSL_CTX_allow_post_handshake_auth(ctx);
+    if (ret == 0) {
+        ctx->postHandshakeAuth = (val != 0);
+    }
+    return (ret == 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
+}
+void wolfSSL_set_post_handshake_auth(WOLFSSL* ssl, int val)
+{
+    int ret = wolfSSL_allow_post_handshake_auth(ssl);
+    if (ret == 0) {
+        ssl->options.postHandshakeAuth = (val != 0);
+    }
+    return (ret == 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
+}
+#endif /* OPENSSL_EXTRA && !NO_CERTS && WOLFSSL_TLS13 && WOLFSSL_POST_HANDSHAKE_AUTH */
+
 /* store user ctx for verify callback */
 void wolfSSL_SetCertCbCtx(WOLFSSL* ssl, void* ctx)
 {
diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h
index e2673048e..90407b695 100644
--- a/wolfssl/openssl/ssl.h
+++ b/wolfssl/openssl/ssl.h
@@ -284,6 +284,8 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define SSL_set_verify                  wolfSSL_set_verify
 #define SSL_set_verify_result           wolfSSL_set_verify_result
 #define SSL_verify_client_post_handshake wolfSSL_verify_client_post_handshake
+#define SSL_set_post_handshake_auth     wolfSSL_set_post_handshake_auth
+#define SSL_CTX_set_post_handshake_auth wolfSSL_CTX_set_post_handshake_auth
 #define SSL_pending                     wolfSSL_pending
 #define SSL_load_error_strings          wolfSSL_load_error_strings
 #define SSL_library_init                wolfSSL_library_init
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index e73428931..1033c8808 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -974,7 +974,13 @@ WOLFSSL_API void wolfSSL_CTX_set_cert_verify_callback(WOLFSSL_CTX* ctx,
 
 WOLFSSL_API void wolfSSL_set_verify(WOLFSSL*, int, VerifyCallback verify_callback);
 WOLFSSL_API void wolfSSL_set_verify_result(WOLFSSL*, long);
+
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
+    defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
 WOLFSSL_API int  wolfSSL_verify_client_post_handshake(WOLFSSL*);
+WOLFSSL_API void wolfSSL_CTX_set_post_handshake_auth(WOLFSSL_CTX*, int);
+WOLFSSL_API void wolfSSL_set_post_handshake_auth(WOLFSSL*, int);
+#endif
 
 WOLFSSL_API void wolfSSL_SetCertCbCtx(WOLFSSL*, void*);
 

From 1dc7293b1913ba86b99fa0ce44f1afed11ecdfd5 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 5 Nov 2020 09:31:12 -0800
Subject: [PATCH 5/5] Fix the return code. openssl uses void on these, but
 let's go ahead and do a return code.

---
 src/ssl.c     | 4 ++--
 wolfssl/ssl.h | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 3cd5b09a4..a5e866cae 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -10367,7 +10367,7 @@ int wolfSSL_verify_client_post_handshake(WOLFSSL* ssl)
     return (ret == 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
 }
 
-void wolfSSL_CTX_set_post_handshake_auth(WOLFSSL_CTX* ctx, int val)
+int wolfSSL_CTX_set_post_handshake_auth(WOLFSSL_CTX* ctx, int val)
 {
     int ret = wolfSSL_CTX_allow_post_handshake_auth(ctx);
     if (ret == 0) {
@@ -10375,7 +10375,7 @@ void wolfSSL_CTX_set_post_handshake_auth(WOLFSSL_CTX* ctx, int val)
     }
     return (ret == 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
 }
-void wolfSSL_set_post_handshake_auth(WOLFSSL* ssl, int val)
+int wolfSSL_set_post_handshake_auth(WOLFSSL* ssl, int val)
 {
     int ret = wolfSSL_allow_post_handshake_auth(ssl);
     if (ret == 0) {
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 1033c8808..4597c2f01 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -977,9 +977,9 @@ WOLFSSL_API void wolfSSL_set_verify_result(WOLFSSL*, long);
 
 #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
     defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
-WOLFSSL_API int  wolfSSL_verify_client_post_handshake(WOLFSSL*);
-WOLFSSL_API void wolfSSL_CTX_set_post_handshake_auth(WOLFSSL_CTX*, int);
-WOLFSSL_API void wolfSSL_set_post_handshake_auth(WOLFSSL*, int);
+WOLFSSL_API int wolfSSL_verify_client_post_handshake(WOLFSSL*);
+WOLFSSL_API int wolfSSL_CTX_set_post_handshake_auth(WOLFSSL_CTX*, int);
+WOLFSSL_API int wolfSSL_set_post_handshake_auth(WOLFSSL*, int);
 #endif
 
 WOLFSSL_API void wolfSSL_SetCertCbCtx(WOLFSSL*, void*);