From 873890316c3acbc48926f184e9bcabd02f309be9 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Wed, 20 Jul 2022 12:08:20 -0700
Subject: [PATCH 1/2] Don't require digital signature bit for static RSA cipher
 suites.

---
 src/internal.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 56eac2df9..1dbd49afe 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -13379,7 +13379,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         (args->dCert->extKeyUsage & KEYUSE_KEY_ENCIPHER) == 0) {
                         ret = KEYUSE_ENCIPHER_E;
                     }
-                    if ((ssl->specs.sig_algo == rsa_sa_algo ||
+                    if ((ssl->specs.kea != rsa_kea) &&
+                        (ssl->specs.sig_algo == rsa_sa_algo ||
                             (ssl->specs.sig_algo == ecc_dsa_sa_algo &&
                                  !ssl->specs.static_ecdh)) &&
                         (args->dCert->extKeyUsage & KEYUSE_DIGITAL_SIG) == 0) {

From 741d61574b37e5dad7000dd97a6f8c5fd2db7cb5 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Wed, 20 Jul 2022 12:24:47 -0700
Subject: [PATCH 2/2] Make wolfSSL_CTX_clear_options available without
 OPENSSL_EXTRA.

---
 src/ssl.c   | 4 ++--
 tests/api.c | 2 --
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 19bf28c9c..a062e3e2f 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -15896,8 +15896,6 @@ cleanup:
         return ctx->mask;
     }
 
-#ifdef OPENSSL_EXTRA
-
     long wolfSSL_CTX_clear_options(WOLFSSL_CTX* ctx, long opt)
     {
         WOLFSSL_ENTER("SSL_CTX_clear_options");
@@ -15907,6 +15905,8 @@ cleanup:
         return ctx->mask;
     }
 
+#ifdef OPENSSL_EXTRA
+
     int wolfSSL_set_rfd(WOLFSSL* ssl, int rfd)
     {
         WOLFSSL_ENTER("SSL_set_rfd");
diff --git a/tests/api.c b/tests/api.c
index aaeb0feea..d02c496a1 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -35525,10 +35525,8 @@ static void test_wolfSSL_set_options(void)
                 WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2);
     AssertTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_COMPRESSION) &
                 WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION);
-#ifdef OPENSSL_EXTRA
     AssertFalse((wolfSSL_CTX_clear_options(ctx, WOLFSSL_OP_NO_COMPRESSION) &
                                            WOLFSSL_OP_NO_COMPRESSION));
-#endif
 
     wolfSSL_CTX_free(ctx);