From 634e547fba66bab89334d9b436efc9e615d06e62 Mon Sep 17 00:00:00 2001
From: Colton Willey <colton@wolfssl.com>
Date: Mon, 23 Sep 2024 10:04:33 -0700
Subject: [PATCH 1/4] Initial implementation of new option to always copy over
 key to SSL ctx

---
 src/internal.c               | 7 +++++++
 src/ssl.c                    | 7 +++++++
 wolfssl/wolfcrypt/settings.h | 5 +++++
 3 files changed, 19 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 2fc63753f..bae404677 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -6829,7 +6829,14 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     ssl->buffers.certChainCnt = ctx->certChainCnt;
 #endif
 #ifndef WOLFSSL_BLIND_PRIVATE_KEY
+#ifdef WOLFSSL_COPY_KEY
+    AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
+        ctx->privateKey->length, ctx->privateKey->type,
+        ctx->privateKey->heap);
+    ssl->buffers.weOwnKey = 1;
+#else
     ssl->buffers.key      = ctx->privateKey;
+#endif
 #else
     if (ctx->privateKey != NULL) {
         AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
diff --git a/src/ssl.c b/src/ssl.c
index 264f2c04e..310a1ed2d 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -20410,7 +20410,14 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
     ssl->buffers.certChainCnt = ctx->certChainCnt;
 #endif
 #ifndef WOLFSSL_BLIND_PRIVATE_KEY
+#ifdef WOLFSSL_COPY_KEY
+    AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
+        ctx->privateKey->length, ctx->privateKey->type,
+        ctx->privateKey->heap);
+    ssl->buffers.weOwnKey = 1;
+#else
     ssl->buffers.key      = ctx->privateKey;
+#endif
 #else
     if (ctx->privateKey != NULL) {
         AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 03cd5e550..07c4f746b 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -3581,6 +3581,11 @@ extern void uITRON4_free(void *p) ;
     #define WOLFSSL_COPY_CERT
 #endif
 
+#if defined(OPENSSL_ALL) && !defined(WOLFSSL_NO_COPY_KEY)
+    #undef WOLFSSL_COPY_KEY
+    #define WOLFSSL_COPY_KEY
+#endif
+
 /*
  * Keeps the "Finished" messages after a TLS handshake for use as the so-called
  * "tls-unique" channel binding. See comment in internal.h around clientFinished

From cad2bbd7a7d9200f40e7fa8446c75bfabd196db3 Mon Sep 17 00:00:00 2001
From: Colton Willey <colton@wolfssl.com>
Date: Mon, 23 Sep 2024 10:18:23 -0700
Subject: [PATCH 2/4] Add NULL checks on key copy

---
 src/internal.c | 16 ++++++++++++----
 src/ssl.c      | 16 ++++++++++++----
 2 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index bae404677..d05238ec8 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -6830,10 +6830,18 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 #endif
 #ifndef WOLFSSL_BLIND_PRIVATE_KEY
 #ifdef WOLFSSL_COPY_KEY
-    AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
-        ctx->privateKey->length, ctx->privateKey->type,
-        ctx->privateKey->heap);
-    ssl->buffers.weOwnKey = 1;
+    if (ctx->privateKey != NULL) {
+        if (ssl->buffers.key != NULL) {
+            FreeDer(&ssl->buffers.key);
+        }
+        AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
+            ctx->privateKey->length, ctx->privateKey->type,
+            ctx->privateKey->heap);
+        ssl->buffers.weOwnKey = 1;
+    }
+    else {
+        ssl->buffers.key      = ctx->privateKey;
+    }
 #else
     ssl->buffers.key      = ctx->privateKey;
 #endif
diff --git a/src/ssl.c b/src/ssl.c
index 310a1ed2d..de97c8e5f 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -20411,10 +20411,18 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
 #endif
 #ifndef WOLFSSL_BLIND_PRIVATE_KEY
 #ifdef WOLFSSL_COPY_KEY
-    AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
-        ctx->privateKey->length, ctx->privateKey->type,
-        ctx->privateKey->heap);
-    ssl->buffers.weOwnKey = 1;
+    if (ctx->privateKey != NULL) {
+        if (ssl->buffers.key != NULL) {
+            FreeDer(&ssl->buffers.key);
+        }
+        AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
+            ctx->privateKey->length, ctx->privateKey->type,
+            ctx->privateKey->heap);
+        ssl->buffers.weOwnKey = 1;
+    }
+    else {
+        ssl->buffers.key      = ctx->privateKey;
+    }
 #else
     ssl->buffers.key      = ctx->privateKey;
 #endif

From 1a4b821c6417d6dd06707d6c3e8bd04e89be85c8 Mon Sep 17 00:00:00 2001
From: Colton Willey <colton@wolfssl.com>
Date: Mon, 23 Sep 2024 11:46:19 -0700
Subject: [PATCH 3/4] Add pthread link for liboqs testing

---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index e07b0bb11..31a85bcfe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1237,7 +1237,7 @@ AC_ARG_WITH([liboqs],
                 tryliboqsdir="/usr/local"
             fi
 
-            CPPFLAGS="$AM_CPPFLAGS -DHAVE_LIBOQS -DHAVE_TLS_EXTENSIONS -I$tryliboqsdir/include"
+            CPPFLAGS="$AM_CPPFLAGS -DHAVE_LIBOQS -DHAVE_TLS_EXTENSIONS -I$tryliboqsdir/include -pthread"
             LDFLAGS="$AM_LDFLAGS $LDFLAGS -L$tryliboqsdir/lib"
 
             AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <oqs/common.h>]], [[ OQS_init(); ]])], [ liboqs_linked=yes ],[ liboqs_linked=no ])

From 6414cf61a7107a55d90e8b758526f57409360952 Mon Sep 17 00:00:00 2001
From: Colton Willey <colton@wolfssl.com>
Date: Thu, 26 Sep 2024 13:18:06 -0700
Subject: [PATCH 4/4] Update comments for new flags in settings.h

---
 wolfssl/wolfcrypt/settings.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 07c4f746b..32730d879 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -3576,11 +3576,17 @@ extern void uITRON4_free(void *p) ;
     #define KEEP_PEER_CERT
 #endif
 
+/* Always copy certificate(s) from SSL CTX to each SSL object on creation,
+ * if this is not defined then each SSL object shares a pointer to the
+ * original certificate buffer owned by the SSL CTX. */
 #if defined(OPENSSL_ALL) && !defined(WOLFSSL_NO_COPY_CERT)
     #undef WOLFSSL_COPY_CERT
     #define WOLFSSL_COPY_CERT
 #endif
 
+/* Always copy private key from SSL CTX to each SSL object on creation,
+ * if this is not defined then each SSL object shares a pointer to the
+ * original key buffer owned by the SSL CTX. */
 #if defined(OPENSSL_ALL) && !defined(WOLFSSL_NO_COPY_KEY)
     #undef WOLFSSL_COPY_KEY
     #define WOLFSSL_COPY_KEY