Changes from review

Add a free handshake resources API.
Rename to wolfSSL_KeepHandshakeResources().
Add APIs to indicate the client's preference order is to be used when
matching cipher suites.

src/internal.c

@@ -3513,6 +3513,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
 #ifdef HAVE_EXTENDED_MASTER
     ssl->options.haveEMS = ctx->haveEMS;
 #endif
+    ssl->options.useClientOrder = ctx->useClientOrder;
 
 #ifdef HAVE_TLS_EXTENSIONS
 #ifdef HAVE_MAX_FRAGMENT
@@ -18841,8 +18842,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         if (ssl->suites == NULL)
             return SUITES_ERROR;
 
-#ifdef WOLFSSL_WPAS
-        if (ssl->options.mask | SSL_OP_CIPHER_SERVER_PREFERENCE) {
+        if (!ssl->options.useClientOrder) {
             /* Server order */
             for (i = 0; i < ssl->suites->suiteSz; i += 2) {
                 for (j = 0; j < peerSuites->suiteSz; j += 2) {
@@ -18862,16 +18862,6 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                 }
             }
         }
-#else
-        /* Server order */
-        for (i = 0; i < ssl->suites->suiteSz; i += 2) {
-            for (j = 0; j < peerSuites->suiteSz; j += 2) {
-                ret = CompareSuites(ssl, peerSuites, i, j);
-                if (ret != MATCH_SUITE_ERROR)
-                    return ret;
-            }
-        }
-#endif
 
         return MATCH_SUITE_ERROR;
     }

src/ssl.c

@@ -2065,8 +2065,9 @@ void wolfSSL_FreeArrays(WOLFSSL* ssl)
  * handshake.
  *
  * ssl  The SSL/TLS object.
+ * returns BAD_FUNC_ARG when ssl is NULL and 0 on success.
  */
-int wolfSSL_KeepResources(WOLFSSL* ssl)
+int wolfSSL_KeepHandshakeResources(WOLFSSL* ssl)
 {
     if (ssl == NULL)
         return BAD_FUNC_ARG;
@@ -2076,6 +2077,51 @@ int wolfSSL_KeepResources(WOLFSSL* ssl)
     return 0;
 }
 
+/* Free the handshake resources after handshake.
+ *
+ * ssl  The SSL/TLS object.
+ * returns BAD_FUNC_ARG when ssl is NULL and 0 on success.
+ */
+int wolfSSL_FreeHandshakeResources(WOLFSSL* ssl)
+{
+    if (ssl == NULL)
+        return BAD_FUNC_ARG;
+
+    FreeHandshakeResources(ssl);
+
+    return 0;
+}
+
+/* Use the client's order of preference when matching cipher suites.
+ *
+ * ssl  The SSL/TLS context object.
+ * returns BAD_FUNC_ARG when ssl is NULL and 0 on success.
+ */
+int wolfSSL_CTX_UseClientSuites(WOLFSSL_CTX* ctx)
+{
+    if (ctx == NULL)
+        return BAD_FUNC_ARG;
+
+    ctx->useClientOrder = 1;
+
+    return 0;
+}
+
+/* Use the client's order of preference when matching cipher suites.
+ *
+ * ssl  The SSL/TLS object.
+ * returns BAD_FUNC_ARG when ssl is NULL and 0 on success.
+ */
+int wolfSSL_UseClientSuites(WOLFSSL* ssl)
+{
+    if (ssl == NULL)
+        return BAD_FUNC_ARG;
+
+    ssl->options.useClientOrder = 1;
+
+    return 0;
+}
+
 const byte* wolfSSL_GetMacSecret(WOLFSSL* ssl, int verify)
 {
     if (ssl == NULL)
@@ -8225,7 +8271,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
 #endif /* NO_HANDSHAKE_DONE_CB */
 
             if (!ssl->options.dtls) {
-                FreeHandshakeResources(ssl);
+                if (!ssl->options.keepResources) {
+                    FreeHandshakeResources(ssl);
+                }
             }
 #ifdef WOLFSSL_DTLS
             else {

wolfssl/internal.h

@@ -1984,6 +1984,7 @@ struct WOLFSSL_CTX {
     byte        groupMessages;    /* group handshake messages before sending */
     byte        minDowngrade;     /* minimum downgrade version */
     byte        haveEMS;          /* have extended master secret extension */
+    byte        useClientOrder;   /* Use client's cipher preference order */
 #if defined(WOLFSSL_SCTP) && defined(WOLFSSL_DTLS)
     byte        dtlsSctp;         /* DTLS-over-SCTP mode */
     word16      dtlsMtuSz;        /* DTLS MTU size */
@@ -2495,6 +2496,7 @@ typedef struct Options {
     word16            userCurves:1;       /* indicates user called wolfSSL_UseSupportedCurve */
 #endif
     word16            keepResources:1;    /* Keep resources after handshake */
+    word16            useClientOrder:1;   /* Use client's cipher order */
 
     /* need full byte values for this section */
     byte            processReply;           /* nonblocking resume */

wolfssl/ssl.h

@@ -1650,7 +1650,11 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl);
 WOLFSSL_API void wolfSSL_KeepArrays(WOLFSSL*);
 WOLFSSL_API void wolfSSL_FreeArrays(WOLFSSL*);
 
-WOLFSSL_API int wolfSSL_KeepResources(WOLFSSL* ssl);
+WOLFSSL_API int wolfSSL_KeepHandshakeResources(WOLFSSL* ssl);
+WOLFSSL_API int wolfSSL_FreeHandshakeResources(WOLFSSL* ssl);
+
+WOLFSSL_API int wolfSSL_CTX_UseClientSuites(WOLFSSL_CTX* ctx);
+WOLFSSL_API int wolfSSL_UseClientSuites(WOLFSSL* ssl);
 
 /* async additions */
 WOLFSSL_API int wolfSSL_UseAsync(WOLFSSL*, int devId);