FIPS changes and fixups

Enable ex data explicitly.
Keep the peer cert for verification callback.
External session cache for hostapd.
Enable DES_ECB when not FIPS.
Don't send the peer cert if it is not received from peer.
Initialize the peer cert after free as will be freed on tear down of
SSL.
Allow a server to become a client.

configure.ac

@@ -342,7 +342,8 @@ if test "$ENABLED_WPAS" = "yes"
 then
     AM_CFLAGS="$AM_CFLAGS -DHAVE_SECRET_CALLBACK -DWOLFSSL_STATIC_RSA"
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP -DWOLFSSL_PUBLIC_ECC_ADD_DBL"
-    AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER"
+    AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER -DHAVE_EX_DATA -DWOLFSSL_KEEP_PEER_CERT"
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE"
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WPAS"
 fi
 
@@ -361,7 +362,7 @@ fi
 
 if test "$ENABLED_FORTRESS" = "yes"
 then
-    AM_CFLAGS="$AM_CFLAGS -DFORTRESS -DWOLFSSL_ALWAYS_VERIFY_CB -DOPENSSL_EXTRA -DWOLFSSL_DES_ECB -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_DER_LOAD -DWOLFSSL_SHA512 -DWOLFSSL_SHA384 -DWOLFSSL_KEY_GEN"
+    AM_CFLAGS="$AM_CFLAGS -DFORTRESS -DWOLFSSL_ALWAYS_VERIFY_CB -DOPENSSL_EXTRA -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_DER_LOAD -DWOLFSSL_SHA512 -DWOLFSSL_SHA384 -DWOLFSSL_KEY_GEN"
 fi
 
 
@@ -1578,6 +1579,11 @@ then
         ENABLED_DES3="yes"
     fi
     AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
+else
+    if test "x$ENABLED_FORTRESS" = "xyes"
+    then
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"
+    fi
 fi
 
 AM_CONDITIONAL([BUILD_FIPS], [test "x$ENABLED_FIPS" = "xyes"])
@@ -3002,7 +3008,7 @@ AC_ARG_ENABLE([aeskeywrap],
     [ ENABLED_AESKEYWRAP=no ]
     )
 
-if test "$ENABLED_WPAS" = "yes"
+if test "$ENABLED_WPAS" = "yes" && test "$ENABLED_FIPS" = "no"
 then
     ENABLED_AESKEYWRAP="yes"
 fi

src/internal.c

@@ -7203,7 +7203,10 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 store->certs = certs;
                 store->totalCerts = totalCerts;
 #ifdef KEEP_PEER_CERT
-                store->current_cert = &ssl->peerCert;
+                if (ssl->peerCert.subject.sz > 0)
+                    store->current_cert = &ssl->peerCert;
+                else
+                    store->current_cert = NULL;
 #else
                 store->current_cert = NULL;
 #endif
@@ -7246,7 +7249,10 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             store->certs = certs;
             store->totalCerts = totalCerts;
 #ifdef KEEP_PEER_CERT
-            store->current_cert = &ssl->peerCert;
+            if (ssl->peerCert.subject.sz > 0)
+                store->current_cert = &ssl->peerCert;
+            else
+                store->current_cert = NULL;
 #endif
             store->ex_data = ssl;
 

src/ssl.c

@@ -10213,7 +10213,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
                                                     WOLFSSL_X509_STORE_CTX* ctx)
     {
         WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert");
-        if(ctx)
+        if (ctx)
             return ctx->current_cert;
         return NULL;
     }
@@ -12400,6 +12400,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
 
 #ifdef KEEP_PEER_CERT
         FreeX509(&ssl->peerCert);
+        InitX509(&ssl->peerCert, 0, ssl->heap);
 #endif
 
         return SSL_SUCCESS;
@@ -13672,8 +13673,23 @@ int wolfSSL_set_session_id_context(WOLFSSL* ssl, const unsigned char* id,
 
 void wolfSSL_set_connect_state(WOLFSSL* ssl)
 {
-    (void)ssl;
-    /* client by default */
+    word16 haveRSA = 1;
+    word16 havePSK = 0;
+
+    if (ssl->options.side == WOLFSSL_SERVER_END) {
+        ssl->options.side = WOLFSSL_CLIENT_END;
+
+        #ifdef NO_RSA
+            haveRSA = 0;
+        #endif
+        #ifndef NO_PSK
+            havePSK = ssl->options.havePSK;
+        #endif
+        InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
+                   ssl->options.haveDH, ssl->options.haveNTRU,
+                   ssl->options.haveECDSAsig, ssl->options.haveECC,
+                   ssl->options.haveStaticECC, ssl->options.side);
+    }
 }
 #endif