From 48e40fac2b68e4b9e59a093cffb3d4324b435ac7 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Wed, 26 Feb 2020 22:29:38 +0100
Subject: [PATCH 1/2] OpenVPN changes

Include <wolfssl/options.h> in settings.h for OpenVPN
Additional API fixes
---
 configure.ac                 | 2 +-
 wolfssl/openssl/err.h        | 2 +-
 wolfssl/openssl/rsa.h        | 1 +
 wolfssl/wolfcrypt/settings.h | 5 +++++
 4 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index f56cfd6b3..0a482ef03 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3531,7 +3531,7 @@ fi
 
 if test "$ENABLED_OPENVPN" = "yes"
 then
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB -DHAVE_EX_DATA"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB -DHAVE_EX_DATA -DWOLFSSL_KEY_GEN"
 fi
 
 
diff --git a/wolfssl/openssl/err.h b/wolfssl/openssl/err.h
index ae50458d5..cb1acc094 100644
--- a/wolfssl/openssl/err.h
+++ b/wolfssl/openssl/err.h
@@ -22,7 +22,7 @@
 #ifndef WOLFSSL_OPENSSL_ERR_
 #define WOLFSSL_OPENSSL_ERR_
 
-#include <wolfssl/openssl/ssl.h>
+#include <wolfssl/wolfcrypt/logging.h>
 
 /* err.h for openssl */
 #define ERR_load_crypto_strings          wolfSSL_ERR_load_crypto_strings
diff --git a/wolfssl/openssl/rsa.h b/wolfssl/openssl/rsa.h
index 658dc7b46..6db3173b2 100644
--- a/wolfssl/openssl/rsa.h
+++ b/wolfssl/openssl/rsa.h
@@ -26,6 +26,7 @@
 #define WOLFSSL_RSA_H_
 
 #include <wolfssl/openssl/bn.h>
+#include <wolfssl/openssl/err.h>
 #include <wolfssl/wolfcrypt/types.h>
 
 #ifdef __cplusplus
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 060d8a185..d84d5b3f7 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -31,6 +31,11 @@
     extern "C" {
 #endif
 
+/* include the options.h file ourselves for OpenVPN */
+#ifdef ENABLE_CRYPTO_WOLFSSL
+#include <wolfssl/options.h>
+#endif
+
 /* Uncomment next line if using IPHONE */
 /* #define IPHONE */
 

From 06f23223e40ebbddeff204d7587f9591b42c490e Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Fri, 3 Apr 2020 12:50:06 +0200
Subject: [PATCH 2/2] Allow wolfSSL to include options.h with
 EXTERNAL_OPTS_OPENVPN header

---
 src/internal.c               |  8 ++++++++
 src/ssl.c                    | 13 ++++++++++++-
 wolfssl/wolfcrypt/settings.h |  6 ++++--
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 320bb78e3..6e166246a 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -39,6 +39,12 @@
  *     and ignoring no signer failures for CA's up the chain to root.
  */
 
+
+#ifdef EXTERNAL_OPTS_OPENVPN
+#error EXTERNAL_OPTS_OPENVPN should not be defined\
+    when building wolfSSL
+#endif
+
 #ifndef WOLFCRYPT_ONLY
 
 #include <wolfssl/internal.h>
@@ -6281,6 +6287,8 @@ void SSL_ResourceFree(WOLFSSL* ssl)
     if (ssl->biord != ssl->biowr)        /* only free write if different */
         wolfSSL_BIO_free(ssl->biowr);
     wolfSSL_BIO_free(ssl->biord);        /* always free read bio */
+    ssl->biowr = NULL;
+    ssl->biord = NULL;
 #endif
 #ifdef HAVE_LIBZ
     FreeStreams(ssl);
diff --git a/src/ssl.c b/src/ssl.c
index 92e8b78dd..059371772 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -14761,6 +14761,16 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
             (wr != NULL && wr->type != WOLFSSL_BIO_SOCKET)) {
             ssl->CBIOSend = BioSend;
         }
+
+        /* User programs should always retry reading from these BIOs */
+        if (rd) {
+            /* User writes to rd */
+            BIO_set_retry_write(rd);
+        }
+        if (wr) {
+            /* User reads from wr */
+            BIO_set_retry_read(wr);
+        }
     }
 #endif
 
@@ -39966,6 +39976,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
 
         if ((l = wolfSSL_BIO_get_len(bp)) <= 0) {
     #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX)
+            /* No certificate in buffer */
             WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
     #endif
             return NULL;
@@ -46222,7 +46233,7 @@ unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line,
                 ret = -ret;
             }
 
-            if (ret == ASN_NO_PEM_HEADER)
+            if (ret == -ASN_NO_PEM_HEADER)
                 return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE;
             if (ret != WANT_READ && ret != WANT_WRITE &&
                     ret != ZERO_RETURN && ret != WOLFSSL_ERROR_ZERO_RETURN &&
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index d84d5b3f7..e0620a9f9 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -31,8 +31,10 @@
     extern "C" {
 #endif
 
-/* include the options.h file ourselves for OpenVPN */
-#ifdef ENABLE_CRYPTO_WOLFSSL
+/* This flag allows wolfSSL to include options.h instead of having client
+ * projects do it themselves. This should *NEVER* be defined when building
+ * wolfSSL as it can cause hard to debug problems. */
+#ifdef EXTERNAL_OPTS_OPENVPN
 #include <wolfssl/options.h>
 #endif