Add proxy support, fix timeouts & update wolfSSL

source/libwolfssl/error-ssl.h

@@ -167,6 +167,8 @@ enum wolfSSL_ErrorCodes {
     CLIENT_CERT_CB_ERROR         = -436,   /* Client cert callback error */
     SSL_SHUTDOWN_ALREADY_DONE_E  = -437,   /* Shutdown called redundantly */
     TLS13_SECRET_CB_E            = -438,   /* TLS1.3 secret Cb fcn failure */
+    DTLS_SIZE_ERROR              = -439,   /* Trying to send too much data */
+    NO_CERT_ERROR                = -440,   /* TLS1.3 - no cert set error */
 
     /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */
 

source/libwolfssl/internal.h

@@ -72,6 +72,9 @@
 #ifndef NO_SHA256
     #include <libwolfssl/wolfcrypt/sha256.h>
 #endif
+#if defined(WOLFSSL_SHA384)
+    #include <libwolfssl/wolfcrypt/sha512.h>
+#endif
 #ifdef HAVE_OCSP
     #include <libwolfssl/ocsp.h>
 #endif
@@ -183,8 +186,10 @@
     /* do nothing */
 #else
     #ifndef SINGLE_THREADED
-        #define WOLFSSL_PTHREADS
+        #ifndef  WOLFSSL_USER_MUTEX
-        #include <pthread.h>
+            #define WOLFSSL_PTHREADS
+            #include <pthread.h>
+        #endif
     #endif
     #if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM)
         #include <unistd.h>      /* for close of BIO */
@@ -858,11 +863,13 @@
 
 #if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) || \
+    defined(BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384) || \
     defined(BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) || \
+    defined(BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) || \
     defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) || \
     defined(BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384) || \
     defined(BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384) || \
@@ -906,7 +913,7 @@
     #define BUILD_DES3
 #endif
 
-#if defined(NO_AES) || defined(NO_AES_DECRYPT)
+#if defined(NO_AES) || !defined(HAVE_AES_DECRYPT)
     #define AES_BLOCK_SIZE 16
     #undef  BUILD_AES
 #else
@@ -1165,7 +1172,8 @@ enum {
 #ifndef MAX_PSK_ID_LEN
     /* max psk identity/hint supported */
     #if defined(WOLFSSL_TLS13)
-        #define MAX_PSK_ID_LEN 256
+        /* OpenSSL has a 1472 byte sessiont ticket */
+        #define MAX_PSK_ID_LEN 1536
     #else
         #define MAX_PSK_ID_LEN 128
     #endif
@@ -1207,19 +1215,6 @@ enum Misc {
     TLSv1_2_MINOR   = 3,        /* TLSv1_2 minor version number */
     TLSv1_3_MINOR   = 4,        /* TLSv1_3 minor version number */
     TLS_DRAFT_MAJOR = 0x7f,     /* Draft TLS major version number */
-#ifdef WOLFSSL_TLS13_DRAFT
-#ifdef WOLFSSL_TLS13_DRAFT_18
-    TLS_DRAFT_MINOR = 0x12,     /* Minor version number of TLS draft */
-#elif defined(WOLFSSL_TLS13_DRAFT_22)
-    TLS_DRAFT_MINOR = 0x16,     /* Minor version number of TLS draft */
-#elif defined(WOLFSSL_TLS13_DRAFT_23)
-    TLS_DRAFT_MINOR = 0x17,     /* Minor version number of TLS draft */
-#elif defined(WOLFSSL_TLS13_DRAFT_26)
-    TLS_DRAFT_MINOR = 0x1a,     /* Minor version number of TLS draft */
-#else
-    TLS_DRAFT_MINOR = 0x1c,     /* Minor version number of TLS draft */
-#endif
-#endif
     OLD_HELLO_ID    = 0x01,     /* SSLv2 Client Hello Indicator */
     INVALID_BYTE    = 0xff,     /* Used to initialize cipher specs values */
     NO_COMPRESSION  =  0,
@@ -1355,10 +1350,21 @@ enum Misc {
     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
     MAX_SYM_KEY_SIZE    = AES_256_KEY_SIZE,
 #else
-    MAX_SYM_KEY_SIZE    = WC_MAX_SYM_KEY_SIZE,
+    #if defined(HAVE_NULL_CIPHER) && defined(WOLFSSL_TLS13)
+        #if defined(WOLFSSL_SHA384) && WC_MAX_SYM_KEY_SIZE < 48
+            MAX_SYM_KEY_SIZE    = WC_SHA384_DIGEST_SIZE,
+        #elif !defined(NO_SHA256) && WC_MAX_SYM_KEY_SIZE < 32
+            MAX_SYM_KEY_SIZE    = WC_SHA256_DIGEST_SIZE,
+        #else
+            MAX_SYM_KEY_SIZE    = WC_MAX_SYM_KEY_SIZE,
+        #endif
+    #else
+        MAX_SYM_KEY_SIZE    = WC_MAX_SYM_KEY_SIZE,
+    #endif
 #endif
 
-#ifdef HAVE_SELFTEST
+#if defined(HAVE_SELFTEST) && \
+    (!defined(HAVE_SELFTEST_VERSION) || (HAVE_SELFTEST_VERSION < 2))
     #ifndef WOLFSSL_AES_KEY_SIZE_ENUM
     #define WOLFSSL_AES_KEY_SIZE_ENUM
     AES_IV_SIZE         = 16,
@@ -1502,7 +1508,7 @@ enum Misc {
 
 /* number of items in the signature algo list */
 #ifndef WOLFSSL_MAX_SIGALGO
-    #define WOLFSSL_MAX_SIGALGO 32
+    #define WOLFSSL_MAX_SIGALGO 36
 #endif
 
 
@@ -1590,6 +1596,7 @@ enum states {
     SERVER_HELLO_COMPLETE,
     SERVER_ENCRYPTED_EXTENSIONS_COMPLETE,
     SERVER_CERT_COMPLETE,
+    SERVER_CERT_VERIFY_COMPLETE,
     SERVER_KEYEXCHANGE_COMPLETE,
     SERVER_HELLODONE_COMPLETE,
 	SERVER_CHANGECIPHERSPEC_COMPLETE,
@@ -1657,6 +1664,10 @@ WOLFSSL_LOCAL int InitSSL_Side(WOLFSSL* ssl, word16 side);
 /* for sniffer */
 WOLFSSL_LOCAL int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                             word32 size, word32 totalSz, int sniff);
+#ifdef WOLFSSL_TLS13
+WOLFSSL_LOCAL int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
+                           word32 size, word32 totalSz, int sniff);
+#endif
 WOLFSSL_LOCAL int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx);
 /* TLS v1.3 needs these */
 WOLFSSL_LOCAL int  HandleTlsResumption(WOLFSSL* ssl, int bogusID,
@@ -1688,16 +1699,15 @@ WOLFSSL_LOCAL void FreeSuites(WOLFSSL* ssl);
 WOLFSSL_LOCAL int  ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 size);
 WOLFSSL_LOCAL int  MatchDomainName(const char* pattern, int len, const char* str);
 #ifndef NO_CERTS
-WOLFSSL_LOCAL int  CheckAltNames(DecodedCert* dCert, char* domain);
+WOLFSSL_LOCAL int  CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN);
-#ifdef OPENSSL_EXTRA
+WOLFSSL_LOCAL int  CheckIPAddr(DecodedCert* dCert, const char* ipasc);
-WOLFSSL_LOCAL int  CheckIPAddr(DecodedCert* dCert, char* ipasc);
-#endif
 #endif
 WOLFSSL_LOCAL int  CreateTicket(WOLFSSL* ssl);
-WOLFSSL_LOCAL int  HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz);
+WOLFSSL_LOCAL int  HashRaw(WOLFSSL* ssl, const byte* output, int sz);
 WOLFSSL_LOCAL int  HashOutput(WOLFSSL* ssl, const byte* output, int sz,
                               int ivSz);
 WOLFSSL_LOCAL int  HashInput(WOLFSSL* ssl, const byte* input, int sz);
+
 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
 WOLFSSL_LOCAL int SNI_Callback(WOLFSSL* ssl);
 #endif
@@ -1840,11 +1850,10 @@ WOLFSSL_LOCAL int  SetCipherList(WOLFSSL_CTX*, Suites*, const char* list);
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
 #define MAX_DESCRIPTION_SZ 255
 #endif
-/* wolfSSL Cipher type just points back to SSL */
 struct WOLFSSL_CIPHER {
     byte cipherSuite0;
     byte cipherSuite;
-    WOLFSSL* ssl;
+    const WOLFSSL* ssl;
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
     char description[MAX_DESCRIPTION_SZ];
     unsigned long offset;
@@ -2015,8 +2024,7 @@ WOLFSSL_LOCAL int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
 
 
 #ifndef NO_CERTS
-#if !defined NOCERTS &&\
+#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
-    (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
 typedef struct ProcPeerCertArgs {
     buffer*      certs;
 #ifdef WOLFSSL_TLS13
@@ -2132,8 +2140,10 @@ typedef struct Keys {
     byte   keyUpdateRespond:1;    /* KeyUpdate is to be responded to. */
 #endif
 #ifdef WOLFSSL_RENESAS_TSIP_TLS
-    byte tsip_client_write_MAC_secret[TSIP_TLS_HMAC_KEY_INDEX_WORDSIZE];
+
-    byte tsip_server_write_MAC_secret[TSIP_TLS_HMAC_KEY_INDEX_WORDSIZE];
+    tsip_hmac_sha_key_index_t tsip_client_write_MAC_secret;
+    tsip_hmac_sha_key_index_t tsip_server_write_MAC_secret;
+
 #endif
 } Keys;
 
@@ -2151,13 +2161,14 @@ typedef enum {
     TLSX_SUPPORTED_GROUPS           = 0x000a, /* a.k.a. Supported Curves */
     TLSX_EC_POINT_FORMATS           = 0x000b,
 #if !defined(WOLFSSL_NO_SIGALG)
-    TLSX_SIGNATURE_ALGORITHMS       = 0x000d,
+    TLSX_SIGNATURE_ALGORITHMS       = 0x000d, /* HELLO_EXT_SIG_ALGO */
 #endif
     TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */
     TLSX_STATUS_REQUEST_V2          = 0x0011, /* a.k.a. OCSP stapling v2 */
 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
     TLSX_ENCRYPT_THEN_MAC           = 0x0016, /* RFC 7366 */
 #endif
+    TLSX_EXTENDED_MASTER_SECRET     = 0x0017, /* HELLO_EXT_EXTMS */
     TLSX_QUANTUM_SAFE_HYBRID        = 0x0018, /* a.k.a. QSH  */
     TLSX_SESSION_TICKET             = 0x0023,
 #ifdef WOLFSSL_TLS13
@@ -2175,12 +2186,8 @@ typedef enum {
     #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
     TLSX_POST_HANDSHAKE_AUTH        = 0x0031,
     #endif
-    #if defined(WOLFSSL_TLS13_DRAFT_18) || defined(WOLFSSL_TLS13_DRAFT_22)
-    TLSX_KEY_SHARE                  = 0x0028,
-    #else
     TLSX_SIGNATURE_ALGORITHMS_CERT  = 0x0032,
     TLSX_KEY_SHARE                  = 0x0033,
-    #endif
 #endif
     TLSX_RENEGOTIATION_INFO         = 0xff01
 } TLSX_Type;
@@ -2522,7 +2529,6 @@ WOLFSSL_LOCAL int TLSX_KeyShare_DeriveSecret(WOLFSSL* ssl);
 
 
 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
-#ifndef WOLFSSL_TLS13_DRAFT_18
 /* Ticket nonce - for deriving PSK.
  * Length allowed to be: 1..255. Only support 4 bytes.
  */
@@ -2530,7 +2536,6 @@ typedef struct TicketNonce {
     byte len;
     byte data[MAX_TICKET_NONCE_SZ];
 } TicketNonce;
-#endif
 
 /* The PreSharedKey extension information - entry in a linked list. */
 typedef struct PreSharedKey {
@@ -2586,6 +2591,13 @@ enum DeriveKeyType {
     update_traffic_key
 };
 
+WOLFSSL_LOCAL int DeriveEarlySecret(WOLFSSL* ssl);
+WOLFSSL_LOCAL int DeriveHandshakeSecret(WOLFSSL* ssl);
+WOLFSSL_LOCAL int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store);
+WOLFSSL_LOCAL int DeriveMasterSecret(WOLFSSL* ssl);
+WOLFSSL_LOCAL int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, byte* secret);
+WOLFSSL_LOCAL int DeriveResumptionSecret(WOLFSSL* ssl, byte* key);
+
 /* The key update request values for KeyUpdate message. */
 enum KeyUpdateRequest {
     update_not_requested,
@@ -2602,6 +2614,14 @@ enum SetCBIO {
 };
 #endif
 
+#ifdef WOLFSSL_STATIC_EPHEMERAL
+typedef struct {
+    int keyAlgo;
+    DerBuffer* key;
+} StaticKeyExchangeInfo_t;
+#endif
+
+
 /* wolfSSL context type */
 struct WOLFSSL_CTX {
     WOLFSSL_METHOD* method;
@@ -2710,9 +2730,7 @@ struct WOLFSSL_CTX {
 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
     short       minEccKeySz;      /* minimum ECC key size */
 #endif
-#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
     unsigned long     mask;             /* store SSL_OP_ flags */
-#endif
 #ifdef OPENSSL_EXTRA
     byte              sessionCtx[ID_LEN]; /* app session context ID */
     word32            disabledCurves;   /* curves disabled by user */
@@ -2755,6 +2773,7 @@ struct WOLFSSL_CTX {
     wc_psk_client_tls13_callback client_psk_tls13_cb;  /* client callback */
     wc_psk_server_tls13_callback server_psk_tls13_cb;  /* server callback */
 #endif
+    void*       psk_ctx;
     char        server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN];
 #endif /* HAVE_SESSION_TICKET || !NO_PSK */
 #ifdef WOLFSSL_TLS13
@@ -2771,7 +2790,7 @@ struct WOLFSSL_CTX {
     pem_password_cb* passwd_cb;
     void*            passwd_userdata;
 #endif
-#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
     WOLFSSL_X509_STORE x509_store; /* points to ctx->cm */
     WOLFSSL_X509_STORE* x509_store_pt; /* take ownership of external store */
     byte            readAhead;
@@ -2876,16 +2895,19 @@ struct WOLFSSL_CTX {
     #endif /* NO_RSA */
 #endif /* HAVE_PK_CALLBACKS */
 #ifdef HAVE_WOLF_EVENT
-        WOLF_EVENT_QUEUE event_queue;
+    WOLF_EVENT_QUEUE event_queue;
 #endif /* HAVE_WOLF_EVENT */
 #ifdef HAVE_EXT_CACHE
-        WOLFSSL_SESSION*(*get_sess_cb)(WOLFSSL*, unsigned char*, int, int*);
+    WOLFSSL_SESSION*(*get_sess_cb)(WOLFSSL*, unsigned char*, int, int*);
-        int (*new_sess_cb)(WOLFSSL*, WOLFSSL_SESSION*);
+    int (*new_sess_cb)(WOLFSSL*, WOLFSSL_SESSION*);
-        void (*rem_sess_cb)(WOLFSSL_CTX*, WOLFSSL_SESSION*);
+    void (*rem_sess_cb)(WOLFSSL_CTX*, WOLFSSL_SESSION*);
 #endif
 #if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && !defined(NO_SHA256)
-        Srp*  srp;  /* TLS Secure Remote Password Protocol*/
+    Srp*  srp;  /* TLS Secure Remote Password Protocol*/
-        byte* srp_password;
+    byte* srp_password;
+#endif
+#ifdef WOLFSSL_STATIC_EPHEMERAL
+    StaticKeyExchangeInfo_t staticKE;
 #endif
 };
 
@@ -2950,7 +2972,6 @@ enum KeyExchangeAlgorithm {
     ecc_static_diffie_hellman_kea       /* for verify suite only */
 };
 
-
 /* Supported Authentication Schemes */
 enum SignatureAlgorithm {
     anonymous_sa_algo = 0,
@@ -3009,6 +3030,13 @@ enum CipherType { aead };
     #define CIPHER_NONCE
 #endif
 
+#if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
+enum CipherSrc {
+    KEYS_NOT_SET = 0,
+    KEYS,     /* keys from ssl->keys are loaded */
+    SCR       /* keys from ssl->secure_renegotiation->tmp_keys are loaded */
+};
+#endif
 
 /* cipher for now */
 typedef struct Ciphers {
@@ -3048,6 +3076,10 @@ typedef struct Ciphers {
 #endif
     byte    state;
     byte    setup;       /* have we set it up flag for detection */
+#if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
+    enum CipherSrc src;  /* DTLS uses this to determine which keys
+                          * are currently loaded */
+#endif
 } Ciphers;
 
 
@@ -3149,6 +3181,8 @@ struct WOLFSSL_SESSION {
 #ifdef OPENSSL_EXTRA
     byte               sessionCtxSz;              /* sessionCtx length        */
     byte               sessionCtx[ID_LEN];        /* app specific context id  */
+    wolfSSL_Mutex      refMutex;                  /* ref count mutex */
+    int                refCount;                  /* reference count */
 #endif
 #ifdef WOLFSSL_TLS13
     word16             namedGroup;
@@ -3157,9 +3191,7 @@ struct WOLFSSL_SESSION {
     #ifdef WOLFSSL_TLS13
     word32             ticketSeen;                /* Time ticket seen (ms) */
     word32             ticketAdd;                 /* Added by client */
-        #ifndef WOLFSSL_TLS13_DRAFT_18
     TicketNonce        ticketNonce;               /* Nonce used to derive PSK */
-        #endif
     #endif
     #ifdef WOLFSSL_EARLY_DATA
     word32             maxEarlyDataSz;
@@ -3171,7 +3203,7 @@ struct WOLFSSL_SESSION {
     byte               staticTicket[SESSION_TICKET_LEN];
     byte               isDynamic;
 #endif
-#ifdef HAVE_EXT_CACHE
+#if defined(HAVE_EXT_CACHE) || defined(OPENSSL_EXTRA)
     byte               isAlloced;
 #endif
 #ifdef HAVE_EX_DATA
@@ -3185,7 +3217,7 @@ WOLFSSL_SESSION* GetSession(WOLFSSL*, byte*, byte);
 WOLFSSL_LOCAL
 int          SetSession(WOLFSSL*, WOLFSSL_SESSION*);
 
-typedef int (*hmacfp) (WOLFSSL*, byte*, const byte*, word32, int, int, int);
+typedef int (*hmacfp) (WOLFSSL*, byte*, const byte*, word32, int, int, int, int);
 
 #ifndef NO_CLIENT_CACHE
     WOLFSSL_SESSION* GetSessionClient(WOLFSSL*, const byte*, int);
@@ -3346,8 +3378,9 @@ typedef struct Options {
     wc_psk_client_tls13_callback client_psk_tls13_cb;  /* client callback */
     wc_psk_server_tls13_callback server_psk_tls13_cb;  /* server callback */
 #endif
+    void*             psk_ctx;
 #endif /* NO_PSK */
-#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
     unsigned long     mask; /* store SSL_OP_ flags */
 #endif
 
@@ -3587,15 +3620,15 @@ struct WOLFSSL_X509_NAME {
     char  staticName[ASN_NAME_MAX];
 #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
     !defined(NO_ASN)
-    DecodedName fullName;
+    int   entrySz; /* number of entries */
-    WOLFSSL_X509_NAME_ENTRY cnEntry;
+    WOLFSSL_X509_NAME_ENTRY entry[MAX_NAME_ENTRIES]; /* all entries i.e. CN */
-    WOLFSSL_X509_NAME_ENTRY extra[MAX_NAME_ENTRIES]; /* extra entries added */
     WOLFSSL_X509*           x509;   /* x509 that struct belongs to */
 #endif /* OPENSSL_EXTRA */
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX)
     byte  raw[ASN_NAME_MAX];
     int   rawLen;
 #endif
+    void* heap;
 };
 
 #ifndef EXTERNAL_SERIAL_SIZE
@@ -3741,6 +3774,7 @@ typedef struct DtlsMsg {
     byte*           msg;
     DtlsFrag*       fragList;
     word32          fragSz;    /* Length of fragments received */
+    word16          epoch;     /* Epoch that this message belongs to */
     word32          seq;       /* Handshake sequence number    */
     word32          sz;        /* Length of whole message      */
     byte            type;
@@ -3810,6 +3844,20 @@ typedef struct HS_Hashes {
 } HS_Hashes;
 
 
+#ifndef WOLFSSL_NO_TLS12
+/* Persistable BuildMessage arguments */
+typedef struct BuildMsgArgs {
+    word32 digestSz;
+    word32 sz;
+    word32 pad;
+    word32 idx;
+    word32 headerSz;
+    word16 size;
+    word32 ivSz;      /* TLSv1.1  IV */
+    byte*  iv;
+} BuildMsgArgs;
+#endif
+
 #ifdef WOLFSSL_ASYNC_CRYPT
     #define MAX_ASYNC_ARGS 18
     typedef void (*FreeArgsCb)(struct WOLFSSL* ssl, void* pArgs);
@@ -3818,6 +3866,7 @@ typedef struct HS_Hashes {
         WC_ASYNC_DEV* dev;
         FreeArgsCb    freeArgs; /* function pointer to cleanup args */
         word32        args[MAX_ASYNC_ARGS]; /* holder for current args */
+        BuildMsgArgs  buildArgs; /* holder for current BuildMessage args */
     };
 #endif
 
@@ -3971,11 +4020,9 @@ struct WOLFSSL {
 #endif
     word16          pssAlgo;
 #ifdef WOLFSSL_TLS13
-    #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
     word16          certHashSigAlgoSz;  /* SigAlgoCert ext length in bytes */
     byte            certHashSigAlgo[WOLFSSL_MAX_SIGALGO]; /* cert sig/algo to
                                                            * offer */
-    #endif /* !WOLFSSL_TLS13_DRAFT_18 && !WOLFSSL_TLS13_DRAFT_22 */
 #endif
 #ifdef HAVE_NTRU
     word16          peerNtruKeyLen;
@@ -4202,6 +4249,9 @@ struct WOLFSSL {
     WOLFSSL_STACK* supportedCiphers; /* Used in wolfSSL_get_ciphers_compat */
     WOLFSSL_STACK* peerCertChain;    /* Used in wolfSSL_get_peer_cert_chain */
 #endif
+#ifdef WOLFSSL_STATIC_EPHEMERAL
+    StaticKeyExchangeInfo_t staticKE;
+#endif
 };
 
 
@@ -4221,10 +4271,8 @@ WOLFSSL_API   void SSL_ResourceFree(WOLFSSL*);   /* Micrium uses */
                                  int type, WOLFSSL* ssl, int userChain,
                                 WOLFSSL_CRL* crl, int verify);
 
-    #ifdef OPENSSL_EXTRA
+    WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, const char *domainName,
-    WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, char *domainName,
                                     size_t domainNameLen);
-    #endif
 #endif
 
 
@@ -4333,12 +4381,8 @@ WOLFSSL_LOCAL int SendTicket(WOLFSSL*);
 WOLFSSL_LOCAL int DoClientTicket(WOLFSSL*, const byte*, word32);
 WOLFSSL_LOCAL int SendData(WOLFSSL*, const void*, int);
 #ifdef WOLFSSL_TLS13
-#ifdef WOLFSSL_TLS13_DRAFT_18
-WOLFSSL_LOCAL int SendTls13HelloRetryRequest(WOLFSSL*);
-#else
 WOLFSSL_LOCAL int SendTls13ServerHello(WOLFSSL*, byte);
 #endif
-#endif
 WOLFSSL_LOCAL int SendCertificate(WOLFSSL*);
 WOLFSSL_LOCAL int SendCertificateRequest(WOLFSSL*);
 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
@@ -4464,7 +4508,7 @@ WOLFSSL_LOCAL  int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
     WOLFSSL_LOCAL int  MakeTlsMasterSecret(WOLFSSL*);
 #ifndef WOLFSSL_AEAD_ONLY
     WOLFSSL_LOCAL int  TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in,
-                                word32 sz, int padSz, int content, int verify);
+                                word32 sz, int padSz, int content, int verify, int epochOrder);
 #endif
 #endif
 
@@ -4486,24 +4530,30 @@ WOLFSSL_LOCAL  int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
     WOLFSSL_LOCAL DtlsMsg* DtlsMsgNew(word32, void*);
     WOLFSSL_LOCAL void DtlsMsgDelete(DtlsMsg*, void*);
     WOLFSSL_LOCAL void DtlsMsgListDelete(DtlsMsg*, void*);
-    WOLFSSL_LOCAL int  DtlsMsgSet(DtlsMsg*, word32, const byte*, byte,
+    WOLFSSL_LOCAL void DtlsTxMsgListClean(WOLFSSL* ssl);
+    WOLFSSL_LOCAL int  DtlsMsgSet(DtlsMsg*, word32, word16, const byte*, byte,
                                                        word32, word32, void*);
-    WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg*, word32);
+    WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg*, word32, word32);
-    WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL*, word32, const byte*, word32,
+    WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL*, word32, word32, const byte*, word32,
                                                 byte, word32, word32, void*);
     WOLFSSL_LOCAL DtlsMsg* DtlsMsgInsert(DtlsMsg*, DtlsMsg*);
 
-    WOLFSSL_LOCAL int  DtlsMsgPoolSave(WOLFSSL*, const byte*, word32);
+    WOLFSSL_LOCAL int  DtlsMsgPoolSave(WOLFSSL*, const byte*, word32, enum HandShakeType);
     WOLFSSL_LOCAL int  DtlsMsgPoolTimeout(WOLFSSL*);
     WOLFSSL_LOCAL int  VerifyForDtlsMsgPoolSend(WOLFSSL*, byte, word32);
+    WOLFSSL_LOCAL int  VerifyForTxDtlsMsgDelete(WOLFSSL* ssl, DtlsMsg* head);
     WOLFSSL_LOCAL void DtlsMsgPoolReset(WOLFSSL*);
     WOLFSSL_LOCAL int  DtlsMsgPoolSend(WOLFSSL*, int);
 #endif /* WOLFSSL_DTLS */
 
-#ifndef NO_TLS
+#if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS)
+    WOLFSSL_LOCAL int DtlsSCRKeysSet(WOLFSSL* ssl);
+    WOLFSSL_LOCAL int IsDtlsMsgSCRKeys(WOLFSSL* ssl);
+    WOLFSSL_LOCAL int DtlsUseSCRKeys(WOLFSSL* ssl);
+    WOLFSSL_LOCAL int DtlsCheckOrder(WOLFSSL* ssl, int order);
+#endif
 
-
+    WOLFSSL_LOCAL void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out);
-#endif /* NO_TLS */
 
 #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
     WOLFSSL_LOCAL word32 TimeNowInMilliseconds(void);
@@ -4511,8 +4561,8 @@ WOLFSSL_LOCAL  int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
 WOLFSSL_LOCAL word32  LowResTimer(void);
 
 #ifndef NO_CERTS
-    WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME*, int);
+    WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME*, int, void*);
-    WOLFSSL_LOCAL void FreeX509Name(WOLFSSL_X509_NAME* name, void* heap);
+    WOLFSSL_LOCAL void FreeX509Name(WOLFSSL_X509_NAME* name);
     WOLFSSL_LOCAL void InitX509(WOLFSSL_X509*, int, void* heap);
     WOLFSSL_LOCAL void FreeX509(WOLFSSL_X509*);
     WOLFSSL_LOCAL int  CopyDecodedToX509(WOLFSSL_X509*, DecodedCert*);
@@ -4598,9 +4648,13 @@ WOLFSSL_LOCAL int SetDhExternal(WOLFSSL_DH *dh);
 WOLFSSL_LOCAL int InitHandshakeHashes(WOLFSSL* ssl);
 WOLFSSL_LOCAL void FreeHandshakeHashes(WOLFSSL* ssl);
 
+
+#ifndef WOLFSSL_NO_TLS12
+WOLFSSL_LOCAL void FreeBuildMsgArgs(WOLFSSL* ssl, BuildMsgArgs* args);
+#endif
 WOLFSSL_LOCAL int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
                         const byte* input, int inSz, int type, int hashOutput,
-                        int sizeOnly, int asyncOkay);
+                        int sizeOnly, int asyncOkay, int epochOrder);
 
 #ifdef WOLFSSL_TLS13
 int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,

source/libwolfssl/openssl/asn1.h

@@ -107,7 +107,7 @@ typedef enum {
 } WOLFSSL_ASN1_TYPES;
 
 #define ASN1_SEQUENCE(type) \
-    static const type __##type##_dummy_struct;\
+    static type __##type##_dummy_struct;\
     static const WOLFSSL_ASN1_TEMPLATE type##_member_data[]
 
 #define ASN1_SIMPLE(type, member, member_type) \

source/libwolfssl/openssl/bio.h

@@ -33,11 +33,11 @@
 #endif
 
 
-#define BIO_FLAG_BASE64_NO_NL WOLFSSL_BIO_FLAG_BASE64_NO_NL
+#define BIO_FLAGS_BASE64_NO_NL WOLFSSL_BIO_FLAG_BASE64_NO_NL
-#define BIO_FLAG_READ         WOLFSSL_BIO_FLAG_READ
+#define BIO_FLAGS_READ         WOLFSSL_BIO_FLAG_READ
-#define BIO_FLAG_WRITE        WOLFSSL_BIO_FLAG_WRITE
+#define BIO_FLAGS_WRITE        WOLFSSL_BIO_FLAG_WRITE
-#define BIO_FLAG_IO_SPECIAL   WOLFSSL_BIO_FLAG_IO_SPECIAL
+#define BIO_FLAGS_IO_SPECIAL   WOLFSSL_BIO_FLAG_IO_SPECIAL
-#define BIO_FLAG_RETRY        WOLFSSL_BIO_FLAG_RETRY
+#define BIO_FLAGS_SHOULD_RETRY WOLFSSL_BIO_FLAG_RETRY
 
 #define BIO_new_fp                      wolfSSL_BIO_new_fp
 #define BIO_new_file                    wolfSSL_BIO_new_file

source/libwolfssl/openssl/dsa.h

@@ -80,6 +80,8 @@ WOLFSSL_API int wolfSSL_DSA_do_verify(const unsigned char* d,
                                       unsigned char* sig,
                                       WOLFSSL_DSA* dsa, int *dsacheck);
 
+WOLFSSL_API int wolfSSL_DSA_bits(const WOLFSSL_DSA *d);
+
 WOLFSSL_API WOLFSSL_DSA_SIG* wolfSSL_DSA_SIG_new(void);
 WOLFSSL_API void wolfSSL_DSA_SIG_free(WOLFSSL_DSA_SIG *sig);
 WOLFSSL_API WOLFSSL_DSA_SIG* wolfSSL_DSA_do_sign_ex(const unsigned char* digest,

source/libwolfssl/openssl/ec.h

@@ -148,12 +148,21 @@ int wolfSSL_EC_POINT_oct2point(const WOLFSSL_EC_GROUP *group,
 WOLFSSL_API
 int wolfSSL_i2o_ECPublicKey(const WOLFSSL_EC_KEY *in, unsigned char **out);
 WOLFSSL_API
+WOLFSSL_EC_KEY *wolfSSL_d2i_ECPrivateKey(WOLFSSL_EC_KEY **key, const unsigned char **in,
+                                         long len);
+WOLFSSL_API
+int wolfSSL_i2d_ECPrivateKey(const WOLFSSL_EC_KEY *in, unsigned char **out);
+WOLFSSL_API
 void wolfSSL_EC_KEY_set_conv_form(WOLFSSL_EC_KEY *eckey, char form);
 WOLFSSL_API
 WOLFSSL_BIGNUM *wolfSSL_EC_POINT_point2bn(const WOLFSSL_EC_GROUP *group,
                                           const WOLFSSL_EC_POINT *p,
                                           char form,
                                           WOLFSSL_BIGNUM *in, WOLFSSL_BN_CTX *ctx);
+WOLFSSL_API
+int wolfSSL_EC_POINT_is_on_curve(const WOLFSSL_EC_GROUP *group,
+                                 const WOLFSSL_EC_POINT *point,
+                                 WOLFSSL_BN_CTX *ctx);
 
 WOLFSSL_API
 int wolfSSL_EC_KEY_LoadDer(WOLFSSL_EC_KEY* key,
@@ -198,6 +207,8 @@ WOLFSSL_API
 int wolfSSL_EC_GROUP_cmp(const WOLFSSL_EC_GROUP *a, const WOLFSSL_EC_GROUP *b,
                          WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API
+WOLFSSL_EC_GROUP *wolfSSL_EC_GROUP_dup(const WOLFSSL_EC_GROUP *src);
+WOLFSSL_API
 int wolfSSL_EC_GROUP_get_curve_name(const WOLFSSL_EC_GROUP *group);
 WOLFSSL_API
 int wolfSSL_EC_GROUP_get_degree(const WOLFSSL_EC_GROUP *group);
@@ -228,11 +239,18 @@ int wolfSSL_EC_POINT_set_affine_coordinates_GFp(const WOLFSSL_EC_GROUP *group,
                                                 const WOLFSSL_BIGNUM *y,
                                                 WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API
+int wolfSSL_EC_POINT_add(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r,
+                         const WOLFSSL_EC_POINT *p1,
+                         const WOLFSSL_EC_POINT *p2, WOLFSSL_BN_CTX *ctx);
+WOLFSSL_API
 int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r,
                          const WOLFSSL_BIGNUM *n,
                          const WOLFSSL_EC_POINT *q, const WOLFSSL_BIGNUM *m,
                          WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API
+int wolfSSL_EC_POINT_invert(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *a,
+                            WOLFSSL_BN_CTX *ctx);
+WOLFSSL_API
 void wolfSSL_EC_POINT_clear_free(WOLFSSL_EC_POINT *point);
 WOLFSSL_API
 int wolfSSL_EC_POINT_cmp(const WOLFSSL_EC_GROUP *group,
@@ -277,6 +295,7 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group,
 #define EC_GROUP_set_asn1_flag          wolfSSL_EC_GROUP_set_asn1_flag
 #define EC_GROUP_new_by_curve_name      wolfSSL_EC_GROUP_new_by_curve_name
 #define EC_GROUP_cmp                    wolfSSL_EC_GROUP_cmp
+#define EC_GROUP_dup                    wolfSSL_EC_GROUP_dup
 #define EC_GROUP_get_curve_name         wolfSSL_EC_GROUP_get_curve_name
 #define EC_GROUP_get_degree             wolfSSL_EC_GROUP_get_degree
 #define EC_GROUP_get_order              wolfSSL_EC_GROUP_get_order
@@ -291,7 +310,9 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group,
                                      wolfSSL_EC_POINT_get_affine_coordinates_GFp
 #define EC_POINT_set_affine_coordinates_GFp \
                                      wolfSSL_EC_POINT_set_affine_coordinates_GFp
+#define EC_POINT_add                    wolfSSL_EC_POINT_add
 #define EC_POINT_mul                    wolfSSL_EC_POINT_mul
+#define EC_POINT_invert                 wolfSSL_EC_POINT_invert
 #define EC_POINT_clear_free             wolfSSL_EC_POINT_clear_free
 #define EC_POINT_cmp                    wolfSSL_EC_POINT_cmp
 #define EC_POINT_copy                   wolfSSL_EC_POINT_copy
@@ -304,7 +325,11 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group,
 #define EC_POINT_point2oct              wolfSSL_EC_POINT_point2oct
 #define EC_POINT_oct2point              wolfSSL_EC_POINT_oct2point
 #define EC_POINT_point2bn               wolfSSL_EC_POINT_point2bn
+#define EC_POINT_is_on_curve            wolfSSL_EC_POINT_is_on_curve
 #define i2o_ECPublicKey                 wolfSSL_i2o_ECPublicKey
+#define i2d_EC_PUBKEY                   wolfSSL_i2o_ECPublicKey
+#define d2i_ECPrivateKey                wolfSSL_d2i_ECPrivateKey
+#define i2d_ECPrivateKey                wolfSSL_i2d_ECPrivateKey
 #define EC_KEY_set_conv_form            wolfSSL_EC_KEY_set_conv_form
 
 #ifndef HAVE_SELFTEST

source/libwolfssl/openssl/evp.h

@@ -356,10 +356,10 @@ struct WOLFSSL_EVP_CIPHER_CTX {
 #ifdef HAVE_AESGCM
     byte*   gcmDecryptBuffer;
     int     gcmDecryptBufferLen;
-#endif
     ALIGN16 unsigned char authTag[AES_BLOCK_SIZE];
     int     authTagSz;
 #endif
+#endif
 };
 
 struct WOLFSSL_EVP_PKEY_CTX {
@@ -521,6 +521,7 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_assign_EC_KEY(WOLFSSL_EVP_PKEY* pkey,
 WOLFSSL_API int wolfSSL_EVP_PKEY_assign_DSA(EVP_PKEY* pkey, WOLFSSL_DSA* key);
 WOLFSSL_API int wolfSSL_EVP_PKEY_assign_DH(EVP_PKEY* pkey, WOLFSSL_DH* key);
 WOLFSSL_API WOLFSSL_RSA* wolfSSL_EVP_PKEY_get0_RSA(struct WOLFSSL_EVP_PKEY *pkey);
+WOLFSSL_API WOLFSSL_DSA* wolfSSL_EVP_PKEY_get0_DSA(struct WOLFSSL_EVP_PKEY *pkey);
 WOLFSSL_API WOLFSSL_RSA* wolfSSL_EVP_PKEY_get1_RSA(WOLFSSL_EVP_PKEY*);
 WOLFSSL_API WOLFSSL_DSA* wolfSSL_EVP_PKEY_get1_DSA(WOLFSSL_EVP_PKEY*);
 WOLFSSL_API WOLFSSL_EC_KEY *wolfSSL_EVP_PKEY_get0_EC_KEY(WOLFSSL_EVP_PKEY *pkey);

source/libwolfssl/openssl/hmac.h

@@ -72,6 +72,7 @@ WOLFSSL_API int wolfSSL_HMAC_Update(WOLFSSL_HMAC_CTX* ctx,
 WOLFSSL_API int wolfSSL_HMAC_Final(WOLFSSL_HMAC_CTX* ctx, unsigned char* hash,
                                   unsigned int* len);
 WOLFSSL_API int wolfSSL_HMAC_cleanup(WOLFSSL_HMAC_CTX* ctx);
+WOLFSSL_API void wolfSSL_HMAC_CTX_cleanup(WOLFSSL_HMAC_CTX* ctx);
 WOLFSSL_API void wolfSSL_HMAC_CTX_free(WOLFSSL_HMAC_CTX* ctx);
 WOLFSSL_API size_t wolfSSL_HMAC_size(const WOLFSSL_HMAC_CTX *ctx);
 
@@ -83,6 +84,7 @@ typedef struct WOLFSSL_HMAC_CTX HMAC_CTX;
 #define HMAC_CTX_init wolfSSL_HMAC_CTX_Init
 #define HMAC_CTX_copy wolfSSL_HMAC_CTX_copy
 #define HMAC_CTX_free wolfSSL_HMAC_CTX_free
+#define HMAC_CTX_cleanup wolfSSL_HMAC_CTX_cleanup
 #define HMAC_CTX_reset wolfSSL_HMAC_cleanup
 #define HMAC_Init_ex  wolfSSL_HMAC_Init_ex
 #define HMAC_Init     wolfSSL_HMAC_Init

source/libwolfssl/openssl/ssl.h

@@ -79,6 +79,7 @@ typedef WOLFSSL_X509_NAME  X509_NAME;
 typedef WOLFSSL_X509_INFO  X509_INFO;
 typedef WOLFSSL_X509_CHAIN X509_CHAIN;
 
+/* STACK_OF(ASN1_OBJECT) */
 typedef WOLFSSL_STACK      EXTENDED_KEY_USAGE;
 
 
@@ -151,6 +152,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define CRYPTO_cleanup_all_ex_data      wolfSSL_cleanup_all_ex_data
 #define set_ex_data                     wolfSSL_CRYPTO_set_ex_data
 #define get_ex_data                     wolfSSL_CRYPTO_get_ex_data
+#define CRYPTO_memcmp                   wolfSSL_CRYPTO_memcmp
 
 /* this function was used to set the default malloc, free, and realloc */
 #define CRYPTO_malloc_init() 0 /* CRYPTO_malloc_init is not needed */
@@ -174,14 +176,15 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define SSL_use_certificate_ASN1        wolfSSL_use_certificate_ASN1
 #define d2i_PKCS8_PRIV_KEY_INFO_bio     wolfSSL_d2i_PKCS8_PKEY_bio
 #define d2i_PKCS8PrivateKey_bio         wolfSSL_d2i_PKCS8PrivateKey_bio
+#define i2d_PKCS8PrivateKey_bio         wolfSSL_PEM_write_bio_PKCS8PrivateKey
 #define PKCS8_PRIV_KEY_INFO_free        wolfSSL_EVP_PKEY_free
 #define d2i_PKCS12_fp                   wolfSSL_d2i_PKCS12_fp
 
+#define i2d_PUBKEY                      wolfSSL_i2d_PUBKEY
 #define d2i_PUBKEY                      wolfSSL_d2i_PUBKEY
 #define d2i_PUBKEY_bio                  wolfSSL_d2i_PUBKEY_bio
 #define d2i_PrivateKey                  wolfSSL_d2i_PrivateKey
 #define d2i_AutoPrivateKey              wolfSSL_d2i_AutoPrivateKey
-#define i2d_PrivateKey                  wolfSSL_i2d_PrivateKey
 #define SSL_use_PrivateKey              wolfSSL_use_PrivateKey
 #define SSL_use_PrivateKey_ASN1         wolfSSL_use_PrivateKey_ASN1
 #define SSL_use_RSAPrivateKey_ASN1      wolfSSL_use_RSAPrivateKey_ASN1
@@ -301,6 +304,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define SSL_set_connect_state           wolfSSL_set_connect_state
 #define SSL_set_accept_state            wolfSSL_set_accept_state
 #define SSL_session_reused              wolfSSL_session_reused
+#define SSL_SESSION_up_ref              wolfSSL_SESSION_up_ref
 #define SSL_SESSION_dup                 wolfSSL_SESSION_dup
 #define SSL_SESSION_free                wolfSSL_SESSION_free
 #define SSL_is_init_finished            wolfSSL_is_init_finished
@@ -340,8 +344,8 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 
 #define DSA_dup_DH                      wolfSSL_DSA_dup_DH
 /* wolfSSL does not support DSA as the cert public key */
-#define EVP_PKEY_get0_DSA(...)          NULL
+#define EVP_PKEY_get0_DSA               wolfSSL_EVP_PKEY_get0_DSA
-#define DSA_bits(...)                   0
+#define DSA_bits                        wolfSSL_DSA_bits
 
 #define i2d_X509_bio                    wolfSSL_i2d_X509_bio
 #define d2i_X509_bio                    wolfSSL_d2i_X509_bio
@@ -374,14 +378,19 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define X509_digest                     wolfSSL_X509_digest
 #define X509_get_ext_count              wolfSSL_X509_get_ext_count
 #define X509_get_ext_d2i                wolfSSL_X509_get_ext_d2i
+#define X509V3_EXT_i2d                  wolfSSL_X509V3_EXT_i2d
 #define X509_get_ext                    wolfSSL_X509_get_ext
 #define X509_get_ext_by_NID             wolfSSL_X509_get_ext_by_NID
 #define X509_get_issuer_name            wolfSSL_X509_get_issuer_name
+#define X509_issuer_name_hash           wolfSSL_X509_issuer_name_hash
 #define X509_get_subject_name           wolfSSL_X509_get_subject_name
+#define X509_subject_name_hash          wolfSSL_X509_subject_name_hash
 #define X509_get_pubkey                 wolfSSL_X509_get_pubkey
 #define X509_get0_pubkey                wolfSSL_X509_get_pubkey
 #define X509_get_notBefore              wolfSSL_X509_get_notBefore
+#define X509_get0_notBefore             wolfSSL_X509_get_notBefore
 #define X509_get_notAfter               wolfSSL_X509_get_notAfter
+#define X509_get0_notAfter              wolfSSL_X509_get_notAfter
 #define X509_get_serialNumber           wolfSSL_X509_get_serialNumber
 #define X509_get0_pubkey_bitstr         wolfSSL_X509_get0_pubkey_bitstr
 #define X509_get_ex_new_index           wolfSSL_X509_get_ex_new_index
@@ -407,9 +416,11 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define X509_check_private_key          wolfSSL_X509_check_private_key
 #define X509_check_ca                   wolfSSL_X509_check_ca
 #define X509_check_host                 wolfSSL_X509_check_host
+#define X509_check_ip_asc               wolfSSL_X509_check_ip_asc
 #define X509_email_free                 wolfSSL_X509_email_free
 #define X509_check_issued               wolfSSL_X509_check_issued
 #define X509_dup                        wolfSSL_X509_dup
+#define X509_add_ext                    wolfSSL_X509_add_ext
 
 #define X509_EXTENSION_get_object       wolfSSL_X509_EXTENSION_get_object
 #define X509_EXTENSION_get_data         wolfSSL_X509_EXTENSION_get_data
@@ -422,7 +433,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define sk_X509_push                    wolfSSL_sk_X509_push
 #define sk_X509_pop                     wolfSSL_sk_X509_pop
 #define sk_X509_pop_free                wolfSSL_sk_X509_pop_free
-#define sk_X509_dup                     wolfSSL_sk_X509_dup
+#define sk_X509_dup                     wolfSSL_sk_dup
 #define sk_X509_free                    wolfSSL_sk_X509_free
 
 #define sk_X509_EXTENSION_num           wolfSSL_sk_X509_EXTENSION_num
@@ -430,7 +441,6 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define sk_X509_EXTENSION_new_null      wolfSSL_sk_X509_EXTENSION_new_null
 #define sk_X509_EXTENSION_pop_free      wolfSSL_sk_X509_EXTENSION_pop_free
 #define sk_X509_EXTENSION_push          wolfSSL_sk_X509_EXTENSION_push
-#define X509_EXTENSION_free             wolfSSL_X509_EXTENSION_free
 
 #define X509_INFO_new                   wolfSSL_X509_INFO_new
 #define X509_INFO_free                  wolfSSL_X509_INFO_free
@@ -444,6 +454,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define sk_X509_INFO_free               wolfSSL_sk_X509_INFO_free
 
 #define i2d_X509_NAME                   wolfSSL_i2d_X509_NAME
+#define d2i_X509_NAME                   wolfSSL_d2i_X509_NAME
 #define X509_NAME_new                   wolfSSL_X509_NAME_new
 #define X509_NAME_free                  wolfSSL_X509_NAME_free
 #define X509_NAME_dup                   wolfSSL_X509_NAME_dup
@@ -568,7 +579,6 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define sk_X509_REVOKED_value           wolfSSL_sk_X509_REVOKED_value
 
 #define X509_OBJECT_free_contents       wolfSSL_X509_OBJECT_free_contents
-#define X509_subject_name_hash          wolfSSL_X509_subject_name_hash
 
 #define X509_check_purpose(...)         0
 
@@ -661,6 +671,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define ASN1_INTEGER_to_BN              wolfSSL_ASN1_INTEGER_to_BN
 
 #define i2a_ASN1_OBJECT                 wolfSSL_i2a_ASN1_OBJECT
+#define i2d_ASN1_OBJECT                 wolfSSL_i2d_ASN1_OBJECT
 
 #define ASN1_STRING_data                wolfSSL_ASN1_STRING_data
 #define ASN1_STRING_get0_data           wolfSSL_ASN1_STRING_data
@@ -850,7 +861,6 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 /*#if OPENSSL_API_COMPAT < 0x10100000L*/
 #define CONF_modules_free()
 #define ENGINE_cleanup()
-#define HMAC_CTX_cleanup                wolfSSL_HMAC_cleanup
 #define SSL_CTX_need_tmp_RSA(ctx)       0
 #define SSL_CTX_set_tmp_rsa(ctx,rsa)    1
 #define SSL_need_tmp_RSA(ssl)           0
@@ -887,14 +897,6 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 
 #define sk_X509_NAME_find               wolfSSL_sk_X509_NAME_find
 
-enum {
-    GEN_DNS   = 0x02, /* ASN_DNS_TYPE */
-    GEN_EMAIL = 0x01, /* ASN_RFC822_TYPE */
-    GEN_URI   = 0x06, /* ASN_URI_TYPE */
-    GEN_IPADD = 0x07,
-    GEN_RID   = 0x08, /* Registered ID, not supported */
-};
-
 #define PEM_read_bio_DHparams           wolfSSL_PEM_read_bio_DHparams
 #define PEM_read_bio_DSAparams          wolfSSL_PEM_read_bio_DSAparams
 
@@ -910,7 +912,7 @@ enum {
 #define sk_SSL_COMP_zero                wolfSSL_sk_SSL_COMP_zero
 #define sk_SSL_CIPHER_value             wolfSSL_sk_SSL_CIPHER_value
 #endif /* OPENSSL_ALL || WOLFSSL_HAPROXY */
-#define sk_SSL_CIPHER_dup               wolfSSL_sk_SSL_CIPHER_dup
+#define sk_SSL_CIPHER_dup               wolfSSL_sk_dup
 #define sk_SSL_CIPHER_free              wolfSSL_sk_SSL_CIPHER_free
 #define sk_SSL_CIPHER_find              wolfSSL_sk_SSL_CIPHER_find
 
@@ -919,7 +921,6 @@ enum {
 #include <libwolfssl/openssl/pem.h>
 
 #define SSL_CTRL_CHAIN       88
-#define GEN_IPADD            7
 #define ERR_LIB_SSL          20
 #define SSL_R_SHORT_READ     10
 #define ERR_R_PEM_LIB        9
@@ -959,6 +960,7 @@ enum {
 #define SSL_num_renegotiations          wolfSSL_num_renegotiations
 #define SSL_renegotiate                 wolfSSL_Rehandshake
 #define SSL_get_secure_renegotiation_support wolfSSL_SSL_get_secure_renegotiation_support
+#define SSL_renegotiate_pending         wolfSSL_SSL_renegotiate_pending
 #define SSL_set_tlsext_debug_arg        wolfSSL_set_tlsext_debug_arg
 #define SSL_set_tlsext_status_type      wolfSSL_set_tlsext_status_type
 #define SSL_set_tlsext_status_exts      wolfSSL_set_tlsext_status_exts
@@ -1227,7 +1229,7 @@ enum {
 #define X509_OBJECT_free                wolfSSL_X509_OBJECT_free
 #define X509_OBJECT_get_type(x)         0
 
-#define OpenSSL_version(x)              wolfSSL_lib_version()
+#define OpenSSL_version(x)              wolfSSL_OpenSSL_version()
 
 #ifdef __cplusplus
     } /* extern "C" */

source/libwolfssl/openssl/stack.h

@@ -28,6 +28,8 @@
     extern "C" {
 #endif
 
+#include <libwolfssl/openssl/conf.h>
+
 typedef void (*wolfSSL_sk_freefunc)(void *);
 
 WOLFSSL_API void wolfSSL_sk_GENERIC_pop_free(WOLFSSL_STACK* sk, wolfSSL_sk_freefunc);

source/libwolfssl/openssl/x509v3.h

@@ -40,6 +40,7 @@
 /* Forward reference */
 
 typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long);
+typedef int (*X509V3_EXT_I2D) (void *, unsigned char **);
 typedef STACK_OF(CONF_VALUE) *(*X509V3_EXT_I2V) (
                                 struct WOLFSSL_v3_ext_method *method,
                                 void *ext, STACK_OF(CONF_VALUE) *extlist);
@@ -53,6 +54,7 @@ struct WOLFSSL_v3_ext_method {
     int ext_flags;
     void *usr_data;
     X509V3_EXT_D2I d2i;
+    X509V3_EXT_I2D i2d;
     X509V3_EXT_I2V i2v;
     X509V3_EXT_I2S i2s;
     X509V3_EXT_I2R i2r;
@@ -61,7 +63,7 @@ struct WOLFSSL_v3_ext_method {
 struct WOLFSSL_X509_EXTENSION {
     WOLFSSL_ASN1_OBJECT *obj;
     WOLFSSL_ASN1_BOOLEAN crit;
-    WOLFSSL_ASN1_STRING value;
+    ASN1_OCTET_STRING value; /* DER format of extension */
     WOLFSSL_v3_ext_method ext_method;
     WOLFSSL_STACK* ext_sk; /* For extension specific data */
 };
@@ -86,7 +88,9 @@ typedef struct WOLFSSL_BASIC_CONSTRAINTS BASIC_CONSTRAINTS;
 typedef struct WOLFSSL_ACCESS_DESCRIPTION ACCESS_DESCRIPTION;
 typedef WOLF_STACK_OF(WOLFSSL_ACCESS_DESCRIPTION) WOLFSSL_AUTHORITY_INFO_ACCESS;
 
+WOLFSSL_API WOLFSSL_BASIC_CONSTRAINTS* wolfSSL_BASIC_CONSTRAINTS_new(void);
 WOLFSSL_API void wolfSSL_BASIC_CONSTRAINTS_free(WOLFSSL_BASIC_CONSTRAINTS *bc);
+WOLFSSL_API WOLFSSL_AUTHORITY_KEYID* wolfSSL_AUTHORITY_KEYID_new(void);
 WOLFSSL_API void wolfSSL_AUTHORITY_KEYID_free(WOLFSSL_AUTHORITY_KEYID *id);
 WOLFSSL_API const WOLFSSL_v3_ext_method* wolfSSL_X509V3_EXT_get(
                                                     WOLFSSL_X509_EXTENSION* ex);

source/libwolfssl/sniffer.h

@@ -49,12 +49,49 @@ SSL_SNIFFER_API int ssl_SetPrivateKey(const char* address, int port,
                                       const char* keyFile, int typeK,
                                       const char* password, char* error);
 
+WOLFSSL_API
+SSL_SNIFFER_API int ssl_SetPrivateKeyBuffer(const char* address, int port,
+                                            const char* keyBuf, int keySz, 
+                                            int typeK, const char* password, 
+                                            char* error);
+
+
 WOLFSSL_API
 SSL_SNIFFER_API int ssl_SetNamedPrivateKey(const char* name,
                                            const char* address, int port,
                                            const char* keyFile, int typeK,
                                            const char* password, char* error);
 
+WOLFSSL_API
+SSL_SNIFFER_API int ssl_SetNamedPrivateKeyBuffer(const char* name,
+                                                 const char* address, int port,
+                                                 const char* keyBuf, int keySz, 
+                                                 int typeK, const char* password, 
+                                                 char* error);
+
+WOLFSSL_API 
+SSL_SNIFFER_API int ssl_SetEphemeralKey(const char* address, int port, 
+                                        const char* keyFile, int typeKey, 
+                                        const char* password, char* error);
+
+WOLFSSL_API 
+SSL_SNIFFER_API int ssl_SetEphemeralKeyBuffer(const char* address, int port, 
+                                              const char* keyBuf, int keySz, int typeKey, 
+                                              const char* password, char* error);
+
+
+WOLFSSL_API 
+SSL_SNIFFER_API int ssl_SetNamedEphemeralKey(const char* name,
+                                             const char* address, int port,
+                                             const char* keyFile, int typeKey,
+                                             const char* password, char* error);
+
+WOLFSSL_API 
+SSL_SNIFFER_API int ssl_SetNamedEphemeralKeyBuffer(const char* name,
+                                                   const char* address, int port,
+                                                   const char* keyBuf, int keySz, int typeKey, 
+                                                   const char* password, char* error);
+
 WOLFSSL_API
 SSL_SNIFFER_API int ssl_DecodePacket(const unsigned char* packet, int length,
                                      unsigned char** data, char* error);

source/libwolfssl/sniffer_error.h

@@ -130,6 +130,7 @@
 #define NO_DATA_DEST_STR 91
 #define STORE_DATA_FAIL_STR 92
 #define CHAIN_INPUT_STR 93
+#define GOT_ENC_EXT_STR 94
 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */
 
 

source/libwolfssl/ssl.h

@@ -274,7 +274,8 @@ struct WOLFSSL_ASN1_OBJECT {
     int ca;
     WOLFSSL_ASN1_INTEGER *pathlen;
 #endif
-    unsigned char dynamic; /* if 1 then obj was dynamically created, 0 otherwise */
+    unsigned char dynamic; /* Use WOLFSSL_ASN1_DYNAMIC and WOLFSSL_ASN1_DYNAMIC_DATA
+                            * to determine what needs to be freed. */
 
 #if defined(WOLFSSL_APACHE_HTTPD)
     WOLFSSL_GENERAL_NAME* gn;
@@ -506,7 +507,7 @@ struct WOLFSSL_X509_STORE {
     int                   cache;          /* stunnel dereference */
     WOLFSSL_CERT_MANAGER* cm;
     WOLFSSL_X509_LOOKUP   lookup;
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
     int                   isDynamic;
     WOLFSSL_X509_VERIFY_PARAM* param;    /* certificate validation parameter */
 #endif
@@ -516,15 +517,15 @@ struct WOLFSSL_X509_STORE {
 #ifdef HAVE_EX_DATA
     WOLFSSL_CRYPTO_EX_DATA ex_data;
 #endif
-#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL)
+#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) && defined(HAVE_CRL)
-    WOLFSSL_X509_CRL *crl;
+    WOLFSSL_X509_CRL *crl; /* points to cm->crl */
 #endif
 };
 
-#ifdef OPENSSL_EXTRA
+#define WOLFSSL_NO_WILDCARDS   0x4
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 #define WOLFSSL_USE_CHECK_TIME 0x2
 #define WOLFSSL_NO_CHECK_TIME  0x200000
-#define WOLFSSL_NO_WILDCARDS   0x4
 #define WOLFSSL_HOST_NAME_MAX  256
 #define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */
 struct WOLFSSL_X509_VERIFY_PARAM {
@@ -534,7 +535,7 @@ struct WOLFSSL_X509_VERIFY_PARAM {
     unsigned int  hostFlags;
     char ipasc[WOLFSSL_MAX_IPSTR];
 };
-#endif
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 
 typedef struct WOLFSSL_ALERT {
     int code;
@@ -709,11 +710,11 @@ WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_1_method(void);
 WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_1_server_method(void);
 WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_1_client_method(void);
 WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_2_method(void);
-WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_2_server_method(void);
+WOLFSSL_ABI WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_2_server_method(void);
 WOLFSSL_ABI WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_2_client_method(void);
 #ifdef WOLFSSL_TLS13
     WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_3_method(void);
-    WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_3_server_method(void);
+    WOLFSSL_ABI WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_3_server_method(void);
     WOLFSSL_ABI WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_3_client_method(void);
 #endif
 
@@ -861,7 +862,7 @@ WOLFSSL_ABI WOLFSSL_API int  wolfSSL_connect(WOLFSSL*);
 WOLFSSL_ABI WOLFSSL_API int  wolfSSL_write(WOLFSSL*, const void*, int);
 WOLFSSL_ABI WOLFSSL_API int  wolfSSL_read(WOLFSSL*, void*, int);
 WOLFSSL_API int  wolfSSL_peek(WOLFSSL*, void*, int);
-WOLFSSL_API int  wolfSSL_accept(WOLFSSL*);
+WOLFSSL_ABI WOLFSSL_API int  wolfSSL_accept(WOLFSSL*);
 WOLFSSL_API int  wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req);
 WOLFSSL_API int  wolfSSL_mutual_auth(WOLFSSL* ssl, int req);
 #ifdef WOLFSSL_TLS13
@@ -891,10 +892,12 @@ WOLFSSL_API int  wolfSSL_accept_TLSv13(WOLFSSL*);
 WOLFSSL_API int  wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx,
                                                 unsigned int sz);
 WOLFSSL_API int  wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz);
-WOLFSSL_API int  wolfSSL_write_early_data(WOLFSSL*, const void*, int, int*);
+WOLFSSL_API int  wolfSSL_write_early_data(WOLFSSL* ssl, const void* data,
-WOLFSSL_API int  wolfSSL_read_early_data(WOLFSSL*, void*, int, int*);
+                                          int sz, int* outSz);
-#endif
+WOLFSSL_API int  wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz,
-#endif
+                                         int* outSz);
+#endif /* WOLFSSL_EARLY_DATA */
+#endif /* WOLFSSL_TLS13 */
 WOLFSSL_ABI WOLFSSL_API void wolfSSL_CTX_free(WOLFSSL_CTX*);
 WOLFSSL_ABI WOLFSSL_API void wolfSSL_free(WOLFSSL*);
 WOLFSSL_ABI WOLFSSL_API int  wolfSSL_shutdown(WOLFSSL*);
@@ -918,9 +921,11 @@ WOLFSSL_API int  wolfSSL_SetServerID(WOLFSSL*, const unsigned char*, int, int);
 WOLFSSL_API int  wolfSSL_BIO_new_bio_pair(WOLFSSL_BIO**, size_t,
                      WOLFSSL_BIO**, size_t);
 
-WOLFSSL_API int wolfSSL_RSA_padding_add_PKCS1_PSS(WOLFSSL_RSA *rsa, unsigned char *EM,
+WOLFSSL_API int wolfSSL_RSA_padding_add_PKCS1_PSS(WOLFSSL_RSA *rsa,
+                                                  unsigned char *EM,
                                                   const unsigned char *mHash,
-                                                  const WOLFSSL_EVP_MD *Hash, int saltLen);
+                                                  const WOLFSSL_EVP_MD *hashAlg,
+                                                  int saltLen);
 WOLFSSL_API int wolfSSL_RSA_verify_PKCS1_PSS(WOLFSSL_RSA *rsa, const unsigned char *mHash,
                                           const WOLFSSL_EVP_MD *hashAlg,
                                           const unsigned char *EM, int saltLen);
@@ -1082,6 +1087,7 @@ typedef int WOLFSSL_LHASH;
 WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_new_node(void* heap);
 WOLFSSL_API void wolfSSL_sk_free(WOLFSSL_STACK* sk);
 WOLFSSL_API void wolfSSL_sk_free_node(WOLFSSL_STACK* in);
+WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk);
 WOLFSSL_API int wolfSSL_sk_push_node(WOLFSSL_STACK** stack, WOLFSSL_STACK* in);
 WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_get_node(WOLFSSL_STACK* sk, int idx);
 WOLFSSL_API int wolfSSL_sk_push(WOLFSSL_STACK *st, const void *data);
@@ -1102,12 +1108,13 @@ typedef WOLF_STACK_OF(WOLFSSL_GENERAL_NAME) WOLFSSL_GENERAL_NAMES;
 WOLFSSL_API int wolfSSL_sk_X509_push(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk,
                                                             WOLFSSL_X509* x509);
 WOLFSSL_API WOLFSSL_X509* wolfSSL_sk_X509_pop(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk);
-WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_X509_dup(WOLFSSL_STACK* sk);
 WOLFSSL_API void wolfSSL_sk_X509_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk);
 WOLFSSL_API WOLFSSL_GENERAL_NAME* wolfSSL_GENERAL_NAME_new(void);
 WOLFSSL_API void wolfSSL_GENERAL_NAME_free(WOLFSSL_GENERAL_NAME* gn);
-WOLFSSL_API int wolfSSL_sk_GENERAL_NAME_push(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)* sk,
+WOLFSSL_API WOLFSSL_GENERAL_NAMES* wolfSSL_GENERAL_NAMES_dup(
-                                                      WOLFSSL_GENERAL_NAME* gn);
+                                             WOLFSSL_GENERAL_NAMES* gns);
+WOLFSSL_API int wolfSSL_sk_GENERAL_NAME_push(WOLFSSL_GENERAL_NAMES* sk,
+                                             WOLFSSL_GENERAL_NAME* gn);
 WOLFSSL_API WOLFSSL_GENERAL_NAME* wolfSSL_sk_GENERAL_NAME_value(
         WOLFSSL_STACK* sk, int i);
 WOLFSSL_API int wolfSSL_sk_GENERAL_NAME_num(WOLFSSL_STACK* sk);
@@ -1129,6 +1136,7 @@ WOLFSSL_API void wolfSSL_sk_X509_EXTENSION_pop_free(
         void (*f) (WOLFSSL_X509_EXTENSION*));
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* wolfSSL_sk_X509_EXTENSION_new_null(void);
 WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_new(void);
+WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_dup(WOLFSSL_ASN1_OBJECT* obj);
 WOLFSSL_API void wolfSSL_ASN1_OBJECT_free(WOLFSSL_ASN1_OBJECT* obj);
 WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_new_asn1_obj(void);
 WOLFSSL_API int wolfSSL_sk_ASN1_OBJECT_push(WOLF_STACK_OF(WOLFSSL_ASN1_OBJEXT)* sk,
@@ -1153,11 +1161,13 @@ WOLFSSL_API int  wolfSSL_set_session_id_context(WOLFSSL*, const unsigned char*,
 WOLFSSL_API void wolfSSL_set_connect_state(WOLFSSL*);
 WOLFSSL_API void wolfSSL_set_accept_state(WOLFSSL*);
 WOLFSSL_API int  wolfSSL_session_reused(WOLFSSL*);
+WOLFSSL_API int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session);
 WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session);
+WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new(void);
 WOLFSSL_API void wolfSSL_SESSION_free(WOLFSSL_SESSION* session);
 WOLFSSL_API int  wolfSSL_is_init_finished(WOLFSSL*);
 
-WOLFSSL_API const char*  wolfSSL_get_version(WOLFSSL*);
+WOLFSSL_API const char*  wolfSSL_get_version(const WOLFSSL*);
 WOLFSSL_API int  wolfSSL_get_current_cipher_suite(WOLFSSL* ssl);
 WOLFSSL_API WOLFSSL_CIPHER*  wolfSSL_get_current_cipher(WOLFSSL*);
 WOLFSSL_API char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER*, char*, int);
@@ -1312,6 +1322,8 @@ WOLFSSL_API void wolfSSL_X509_STORE_set_verify_cb(WOLFSSL_X509_STORE *st,
                                  WOLFSSL_X509_STORE_CTX_verify_cb verify_cb);
 WOLFSSL_API int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* n,
                                                            unsigned char** out);
+WOLFSSL_API WOLFSSL_X509_NAME *wolfSSL_d2i_X509_NAME(WOLFSSL_X509_NAME **name,
+                                              unsigned char **in, long length);
 #ifndef NO_RSA
 WOLFSSL_API int wolfSSL_RSA_print(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, int offset);
 #endif
@@ -1325,8 +1337,10 @@ WOLFSSL_API char* wolfSSL_X509_get_name_oneline(WOLFSSL_X509_NAME*, char*, int);
 #endif
 WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name(
                                                                  WOLFSSL_X509*);
+WOLFSSL_API unsigned long  wolfSSL_X509_issuer_name_hash(const WOLFSSL_X509* x509);
 WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(
                                                                  WOLFSSL_X509*);
+WOLFSSL_API unsigned long  wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509);
 WOLFSSL_API int  wolfSSL_X509_ext_isSet_by_NID(WOLFSSL_X509*, int);
 WOLFSSL_API int  wolfSSL_X509_ext_get_critical_by_NID(WOLFSSL_X509*, int);
 WOLFSSL_API int  wolfSSL_X509_get_isCA(WOLFSSL_X509*);
@@ -1365,6 +1379,7 @@ WOLFSSL_API int wolfSSL_X509_NAME_get_index_by_NID(
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_X509_NAME_ENTRY_get_data(WOLFSSL_X509_NAME_ENTRY*);
 
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_new(void);
+WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_dup(WOLFSSL_ASN1_STRING* asn1);
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_type_new(int type);
 WOLFSSL_API int wolfSSL_ASN1_STRING_type(const WOLFSSL_ASN1_STRING* asn1);
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_d2i_DISPLAYTEXT(WOLFSSL_ASN1_STRING **asn, const unsigned char **in, long len);
@@ -1421,11 +1436,12 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY_bio(WOLFSSL_BIO* bio,
                                          WOLFSSL_EVP_PKEY** out);
 WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY(WOLFSSL_EVP_PKEY** key,
         const unsigned char** in, long inSz);
+WOLFSSL_API int wolfSSL_i2d_PUBKEY(const WOLFSSL_EVP_PKEY *key, unsigned char **der);
 WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type,
         WOLFSSL_EVP_PKEY** out, const unsigned char **in, long inSz);
 WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_EVP(WOLFSSL_EVP_PKEY** key,
         unsigned char** in, long inSz);
-WOLFSSL_API int wolfSSL_i2d_PrivateKey(WOLFSSL_EVP_PKEY* key,
+WOLFSSL_API int wolfSSL_i2d_PrivateKey(const WOLFSSL_EVP_PKEY* key,
         unsigned char** der);
 WOLFSSL_API int       wolfSSL_X509_cmp_current_time(const WOLFSSL_ASN1_TIME*);
 #ifdef OPENSSL_EXTRA
@@ -1571,6 +1587,7 @@ WOLFSSL_API long wolfSSL_clear_options(WOLFSSL *s,  long op);
 WOLFSSL_API long wolfSSL_clear_num_renegotiations(WOLFSSL *s);
 WOLFSSL_API long wolfSSL_total_renegotiations(WOLFSSL *s);
 WOLFSSL_API long wolfSSL_num_renegotiations(WOLFSSL* s);
+WOLFSSL_API int  wolfSSL_SSL_renegotiate_pending(WOLFSSL *s);
 WOLFSSL_API long wolfSSL_set_tmp_dh(WOLFSSL *s, WOLFSSL_DH *dh);
 WOLFSSL_API long wolfSSL_set_tlsext_debug_arg(WOLFSSL *s, void *arg);
 WOLFSSL_API long wolfSSL_set_tlsext_status_type(WOLFSSL *s, int type);
@@ -1597,8 +1614,6 @@ enum {
     WOLFSSL_CRL_CHECK    = 2,
 };
 
-#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
-    defined(HAVE_WEBSERVER)
 /* Separated out from other enums because of size */
 enum {
     SSL_OP_MICROSOFT_SESS_ID_BUG                  = 0x00000001,
@@ -1645,6 +1660,8 @@ enum {
                   | SSL_OP_TLS_ROLLBACK_BUG),
 };
 
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(HAVE_WEBSERVER)
 /* for compatibility these must be macros */
 #define SSL_OP_NO_SSLv2   WOLFSSL_OP_NO_SSLv2
 #define SSL_OP_NO_SSLv3   WOLFSSL_OP_NO_SSLv3
@@ -1950,6 +1967,11 @@ enum { /* ssl Constants */
     WOLFSSL_API void wolfSSL_set_psk_server_tls13_callback(WOLFSSL*,
                                                   wc_psk_server_tls13_callback);
 #endif
+    WOLFSSL_API void* wolfSSL_get_psk_callback_ctx(WOLFSSL*);
+    WOLFSSL_API int   wolfSSL_set_psk_callback_ctx(WOLFSSL*, void*);
+
+    WOLFSSL_API void* wolfSSL_CTX_get_psk_callback_ctx(WOLFSSL_CTX*);
+    WOLFSSL_API int   wolfSSL_CTX_set_psk_callback_ctx(WOLFSSL_CTX*, void*);
 
     #define PSK_TYPES_DEFINED
 #endif /* NO_PSK */
@@ -1992,10 +2014,9 @@ WOLFSSL_API long wolfSSL_CTX_set_options(WOLFSSL_CTX*, long);
 WOLFSSL_API long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx);
 WOLFSSL_API long wolfSSL_CTX_clear_options(WOLFSSL_CTX*, long);
 
-#ifndef NO_CERTS
+#if !defined(NO_FILESYSTEM) && !defined(NO_CHECK_PRIVATE_KEY)
   WOLFSSL_API int  wolfSSL_CTX_check_private_key(const WOLFSSL_CTX*);
-#endif /* !NO_CERTS */
+#endif
-
 WOLFSSL_API void wolfSSL_ERR_free_strings(void);
 WOLFSSL_API void wolfSSL_ERR_remove_state(unsigned long);
 WOLFSSL_API int  wolfSSL_clear(WOLFSSL* ssl);
@@ -2045,7 +2066,8 @@ WOLFSSL_API WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_set(WOLFSSL_ASN1_TIME *s, time_
 WOLFSSL_API int wolfSSL_sk_num(WOLFSSL_STACK* sk);
 WOLFSSL_API void* wolfSSL_sk_value(WOLFSSL_STACK* sk, int i);
 
-#if defined(HAVE_EX_DATA) || defined(FORTRESS)
+#if (defined(HAVE_EX_DATA) || defined(FORTRESS)) && \
+    (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL))
 WOLFSSL_API void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data,
                                             int idx);
 WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx,
@@ -2087,6 +2109,7 @@ WOLFSSL_ABI WOLFSSL_API int wolfSSL_Cleanup(void);
 
 /* which library version do we have */
 WOLFSSL_API const char* wolfSSL_lib_version(void);
+WOLFSSL_API const char* wolfSSL_OpenSSL_version(void);
 /* which library version do we have in hex */
 WOLFSSL_API word32 wolfSSL_lib_version_hex(void);
 
@@ -2134,6 +2157,7 @@ WOLFSSL_API int wolfSSL_X509_version(WOLFSSL_X509*);
 WOLFSSL_API int wolfSSL_cmp_peer_cert_to_file(WOLFSSL*, const char*);
 
 WOLFSSL_ABI WOLFSSL_API char* wolfSSL_X509_get_next_altname(WOLFSSL_X509*);
+WOLFSSL_API int wolfSSL_X509_add_altname_ex(WOLFSSL_X509*, const char*, word32, int);
 WOLFSSL_API int wolfSSL_X509_add_altname(WOLFSSL_X509*, const char*, int);
 
 WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509(WOLFSSL_X509** x509,
@@ -2424,6 +2448,7 @@ WOLFSSL_API void  wolfSSL_SetVerifyDecryptCtx(WOLFSSL* ssl, void *ctx);
 WOLFSSL_API void* wolfSSL_GetVerifyDecryptCtx(WOLFSSL* ssl);
 
 WOLFSSL_API const unsigned char* wolfSSL_GetMacSecret(WOLFSSL*, int);
+WOLFSSL_API const unsigned char* wolfSSL_GetDtlsMacSecret(WOLFSSL*, int, int);
 WOLFSSL_API const unsigned char* wolfSSL_GetClientWriteKey(WOLFSSL*);
 WOLFSSL_API const unsigned char* wolfSSL_GetClientWriteIV(WOLFSSL*);
 WOLFSSL_API const unsigned char* wolfSSL_GetServerWriteKey(WOLFSSL*);
@@ -2527,7 +2552,7 @@ struct DhKey;
 typedef int (*CallbackDhAgree)(WOLFSSL* ssl, struct DhKey* key,
         const unsigned char* priv, unsigned int privSz,
         const unsigned char* otherPubKeyDer, unsigned int otherPubKeySz,
-        unsigned char* out, unsigned int* outlen,
+        unsigned char* out, word32* outlen,
         void* ctx);
 WOLFSSL_API void  wolfSSL_CTX_SetDhAgreeCb(WOLFSSL_CTX*, CallbackDhAgree);
 WOLFSSL_API void  wolfSSL_SetDhAgreeCtx(WOLFSSL* ssl, void *ctx);
@@ -2625,7 +2650,7 @@ WOLFSSL_API void* wolfSSL_GetX448SharedSecretCtx(WOLFSSL* ssl);
 #ifndef NO_RSA
 typedef int (*CallbackRsaSign)(WOLFSSL* ssl,
        const unsigned char* in, unsigned int inSz,
-       unsigned char* out, unsigned int* outSz,
+       unsigned char* out, word32* outSz,
        const unsigned char* keyDer, unsigned int keySz,
        void* ctx);
 WOLFSSL_API void  wolfSSL_CTX_SetRsaSignCb(WOLFSSL_CTX*, CallbackRsaSign);
@@ -2670,7 +2695,7 @@ WOLFSSL_API void* wolfSSL_GetRsaPssVerifyCtx(WOLFSSL* ssl);
 /* RSA Public Encrypt cb */
 typedef int (*CallbackRsaEnc)(WOLFSSL* ssl,
        const unsigned char* in, unsigned int inSz,
-       unsigned char* out, unsigned int* outSz,
+       unsigned char* out, word32* outSz,
        const unsigned char* keyDer, unsigned int keySz,
        void* ctx);
 WOLFSSL_API void  wolfSSL_CTX_SetRsaEncCb(WOLFSSL_CTX*, CallbackRsaEnc);
@@ -3031,6 +3056,7 @@ enum {
     WOLFSSL_ECC_BRAINPOOLP512R1 = 28,
     WOLFSSL_ECC_X25519    = 29,
     WOLFSSL_ECC_X448      = 30,
+    WOLFSSL_ECC_MAX       = 30,
 
     WOLFSSL_FFDHE_2048    = 256,
     WOLFSSL_FFDHE_3072    = 257,
@@ -3208,7 +3234,6 @@ WOLFSSL_API int wolfSSL_accept_ex(WOLFSSL*, HandShakeCallBack, TimeoutCallBack,
 #include <libwolfssl/openssl/asn1.h>
 struct WOLFSSL_X509_NAME_ENTRY {
     WOLFSSL_ASN1_OBJECT  object;  /* static object just for keeping grp, type */
-    WOLFSSL_ASN1_STRING  data;
     WOLFSSL_ASN1_STRING* value;  /* points to data, for lighttpd port */
     int nid; /* i.e. ASN_COMMON_NAME */
     int set;
@@ -3219,11 +3244,8 @@ WOLFSSL_API int wolfSSL_X509_NAME_get_index_by_OBJ(WOLFSSL_X509_NAME *name,
                                                    const WOLFSSL_ASN1_OBJECT *obj,
                                                    int idx);
 
-#endif /* OPENSSL_ALL || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 
 
-#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
-
 enum {
     WOLFSSL_SYS_ACCEPT = 0,
     WOLFSSL_SYS_BIND,
@@ -3293,12 +3315,23 @@ WOLFSSL_API int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME* x,
 WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_new(void);
 WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509*);
 WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_dup(WOLFSSL_X509_NAME*);
+WOLFSSL_API int wolfSSL_X509_NAME_copy(WOLFSSL_X509_NAME*, WOLFSSL_X509_NAME*);
 WOLFSSL_API int wolfSSL_check_private_key(const WOLFSSL* ssl);
+#endif /* !NO_CERTS */
+#endif /* OPENSSL_ALL || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 WOLFSSL_API void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509,
                                                      int nid, int* c, int* idx);
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
+#ifndef NO_CERTS
 WOLFSSL_API int wolfSSL_X509_get_ext_count(const WOLFSSL_X509* passedCert);
 WOLFSSL_API int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509 *x, int nid, int lastpos);
 WOLFSSL_API int wolfSSL_X509_add_ext(WOLFSSL_X509 *x, WOLFSSL_X509_EXTENSION *ex, int loc);
+WOLFSSL_API WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit,
+                                                           void *data);
 WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_X509V3_EXT_conf_nid(
         WOLF_LHASH_OF(CONF_VALUE)* conf, WOLFSSL_X509V3_CTX* ctx, int nid,
         char* value);
@@ -3335,7 +3368,7 @@ WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_new_x509_ext(void);
 
 WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_X509_EXTENSION_get_object(WOLFSSL_X509_EXTENSION* ext);
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data(WOLFSSL_X509_EXTENSION* ext);
-#endif /* NO_CERTS */
+#endif /* !NO_CERTS */
 
 WOLFSSL_API WOLFSSL_DH *wolfSSL_DSA_dup_DH(const WOLFSSL_DSA *r);
 
@@ -3343,8 +3376,6 @@ WOLFSSL_API int wolfSSL_SESSION_get_master_key(const WOLFSSL_SESSION* ses,
         unsigned char* out, int outSz);
 WOLFSSL_API int wolfSSL_SESSION_get_master_key_length(const WOLFSSL_SESSION* ses);
 
-WOLFSSL_API void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx,
-                                                       WOLFSSL_X509_STORE* str);
 WOLFSSL_API int wolfSSL_i2d_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509* x509);
 #if !defined(NO_FILESYSTEM)
 WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509_fp(XFILE fp,
@@ -3353,20 +3384,27 @@ WOLFSSL_API WOLFSSL_STACK* wolfSSL_X509_STORE_GetCerts(WOLFSSL_X509_STORE_CTX* s
 #endif
 WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509_bio(WOLFSSL_BIO* bio,
                                                WOLFSSL_X509** x509);
-WOLFSSL_API WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx);
+#endif /* OPENSSL_EXTRA || OPENSSL_ALL */
 
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
+WOLFSSL_API void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx,
+                                                       WOLFSSL_X509_STORE* str);
+WOLFSSL_API WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx);
+WOLFSSL_API size_t wolfSSL_get_server_random(const WOLFSSL *ssl,
+                                             unsigned char *out, size_t outlen);
+WOLFSSL_API size_t wolfSSL_get_client_random(const WOLFSSL* ssl,
+                                              unsigned char* out, size_t outSz);
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
 WOLFSSL_API size_t wolfSSL_BIO_wpending(const WOLFSSL_BIO *bio);
 WOLFSSL_API size_t wolfSSL_BIO_ctrl_pending(WOLFSSL_BIO *b);
 
-WOLFSSL_API size_t wolfSSL_get_server_random(const WOLFSSL *ssl,
-                                             unsigned char *out, size_t outlen);
 WOLFSSL_API int wolfSSL_get_server_tmp_key(const WOLFSSL*, WOLFSSL_EVP_PKEY**);
 
 WOLFSSL_API int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX*, int);
 WOLFSSL_API int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX*, int);
 
-WOLFSSL_API size_t wolfSSL_get_client_random(const WOLFSSL* ssl,
-                                              unsigned char* out, size_t outSz);
 WOLFSSL_API int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey);
 WOLFSSL_API WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, pem_password_cb *cb, void *u);
 WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_PEM_read_bio_X509_CRL(WOLFSSL_BIO *bp,
@@ -3385,9 +3423,12 @@ WOLFSSL_API int wolfSSL_PEM_get_EVP_CIPHER_INFO(char* header,
 WOLFSSL_API int wolfSSL_PEM_do_header(EncryptedInfo* cipher,
                                       unsigned char* data, long* len,
                                       pem_password_cb* callback, void* ctx);
+#endif /* OPENSSL_EXTRA || OPENSSL_ALL */
 
 /*lighttp compatibility */
 
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \
+    defined(OPENSSL_EXTRA_X509_SMALL)
 struct WOLFSSL_ASN1_BIT_STRING {
     int length;
     int type;
@@ -3395,6 +3436,11 @@ struct WOLFSSL_ASN1_BIT_STRING {
     long flags;
 };
 
+WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc);
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)|| \
+    defined(OPENSSL_EXTRA_X509_SMALL)
 
 #if    defined(OPENSSL_EXTRA) \
     || defined(OPENSSL_ALL) \
@@ -3402,7 +3448,8 @@ struct WOLFSSL_ASN1_BIT_STRING {
     || defined(WOLFSSL_MYSQL_COMPATIBLE) \
     || defined(HAVE_STUNNEL) \
     || defined(WOLFSSL_NGINX) \
-    || defined(WOLFSSL_HAPROXY)
+    || defined(WOLFSSL_HAPROXY) \
+    || defined(OPENSSL_EXTRA_X509_SMALL)
 WOLFSSL_API void wolfSSL_X509_NAME_ENTRY_free(WOLFSSL_X509_NAME_ENTRY* ne);
 WOLFSSL_API WOLFSSL_X509_NAME_ENTRY* wolfSSL_X509_NAME_ENTRY_new(void);
 WOLFSSL_API void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME* name);
@@ -3414,7 +3461,6 @@ WOLFSSL_API void wolfSSL_set_verify_depth(WOLFSSL *ssl,int depth);
 WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl);
 WOLFSSL_API int wolfSSL_set_app_data(WOLFSSL *ssl, void *arg);
 WOLFSSL_API WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne);
-WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc);
 WOLFSSL_API unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md);
 WOLFSSL_API unsigned char *wolfSSL_SHA256(const unsigned char *d, size_t n, unsigned char *md);
 WOLFSSL_API unsigned char *wolfSSL_SHA384(const unsigned char *d, size_t n, unsigned char *md);
@@ -3468,12 +3514,8 @@ WOLFSSL_API int wolfSSL_X509_REQ_set_pubkey(WOLFSSL_X509 *req,
 #endif
 
 
-#if defined(OPENSSL_ALL) \
+#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \
-    || defined(HAVE_STUNNEL) \
+    || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
-    || defined(WOLFSSL_NGINX) \
-    || defined(WOLFSSL_HAPROXY) \
-    || defined(OPENSSL_EXTRA) \
-    || defined(HAVE_LIGHTY)
 
 #include <libwolfssl/openssl/crypto.h>
 
@@ -3485,6 +3527,8 @@ WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const ch
 
 WOLFSSL_API void wolfSSL_CRYPTO_cleanup_all_ex_data(void);
 
+WOLFSSL_API int wolfSSL_CRYPTO_memcmp(const void *a, const void *b, size_t size);
+
 WOLFSSL_API WOLFSSL_BIGNUM* wolfSSL_DH_768_prime(WOLFSSL_BIGNUM* bn);
 WOLFSSL_API WOLFSSL_BIGNUM* wolfSSL_DH_1024_prime(WOLFSSL_BIGNUM* bn);
 WOLFSSL_API WOLFSSL_BIGNUM* wolfSSL_DH_1536_prime(WOLFSSL_BIGNUM* bn);
@@ -3550,7 +3594,9 @@ WOLFSSL_API int wolfSSL_sk_X509_OBJECT_num(const WOLF_STACK_OF(WOLFSSL_X509_OBJE
 
 WOLFSSL_API int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO*,WOLFSSL_X509_NAME*,int,
         unsigned long);
+#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || HAVE_LIGHTY */
 
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 WOLFSSL_API WOLFSSL_ASN1_BIT_STRING* wolfSSL_ASN1_BIT_STRING_new(void);
 WOLFSSL_API void wolfSSL_ASN1_BIT_STRING_free(WOLFSSL_ASN1_BIT_STRING*);
 WOLFSSL_API WOLFSSL_ASN1_BIT_STRING* wolfSSL_X509_get0_pubkey_bitstr(
@@ -3559,6 +3605,10 @@ WOLFSSL_API int wolfSSL_ASN1_BIT_STRING_get_bit(
                             const WOLFSSL_ASN1_BIT_STRING*, int);
 WOLFSSL_API int wolfSSL_ASN1_BIT_STRING_set_bit(
                             WOLFSSL_ASN1_BIT_STRING*, int, int);
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+
+#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \
+    || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
 
 WOLFSSL_API int        wolfSSL_CTX_add_session(WOLFSSL_CTX*, WOLFSSL_SESSION*);
 
@@ -3571,17 +3621,22 @@ WOLFSSL_API WOLFSSL_X509* wolfSSL_sk_X509_value(WOLF_STACK_OF(WOLFSSL_X509)*, in
 WOLFSSL_API WOLFSSL_X509* wolfSSL_sk_X509_shift(WOLF_STACK_OF(WOLFSSL_X509)*);
 
 WOLFSSL_API void* wolfSSL_sk_X509_OBJECT_value(WOLF_STACK_OF(WOLFSSL_X509_OBJECT)*, int);
+#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || HAVE_LIGHTY */
 
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 WOLFSSL_API void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION*, int);
 
 WOLFSSL_API int   wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION*, int, void*);
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+
+#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \
+    || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
 
 WOLFSSL_API int wolfSSL_SESSION_get_ex_new_index(long,void*,void*,void*,
         CRYPTO_free_func*);
 
 WOLFSSL_API int wolfSSL_X509_NAME_get_sz(WOLFSSL_X509_NAME*);
 
-
 WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(WOLFSSL_SESSION*,
         unsigned int*);
 
@@ -3624,10 +3679,13 @@ WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_OBJECT)*
 WOLFSSL_API WOLFSSL_X509_OBJECT*
         wolfSSL_sk_X509_OBJECT_delete(WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* sk, int i);
 WOLFSSL_API void wolfSSL_X509_OBJECT_free(WOLFSSL_X509_OBJECT *a);
-
-WOLFSSL_API void wolfSSL_sk_X509_pop_free(WOLF_STACK_OF(WOLFSSL_X509)* sk, void (*f) (WOLFSSL_X509*));
 #endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || HAVE_LIGHTY */
 
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
+#include <libwolfssl/openssl/stack.h>
+WOLFSSL_API void wolfSSL_sk_X509_pop_free(WOLF_STACK_OF(WOLFSSL_X509)* sk, void (*f) (WOLFSSL_X509*));
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+
 #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
 WOLFSSL_API int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names);
 WOLFSSL_API int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names);
@@ -3688,14 +3746,17 @@ WOLFSSL_LOCAL char* wolfSSL_get_ocsp_url(WOLFSSL* ssl);
 WOLFSSL_API int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url);
 #endif
 
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
+WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx);
+WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx,
+    void *data);
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \
     || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl);
 WOLFSSL_API int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a,
     void *b, void *c);
-WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx);
-WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx,
-    void *data);
 WOLFSSL_API int wolfSSL_X509_NAME_digest(const WOLFSSL_X509_NAME *data,
     const WOLFSSL_EVP_MD *type, unsigned char *md, unsigned int *len);
 
@@ -3715,8 +3776,6 @@ WOLFSSL_API int wolfSSL_SSL_in_connect_init(WOLFSSL*);
 #ifndef NO_SESSION_CACHE
     WOLFSSL_API WOLFSSL_SESSION *wolfSSL_SSL_get0_session(const WOLFSSL *s);
 #endif
-WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk,
-    size_t chklen, unsigned int flags, char **peername);
 
 WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp,
     const WOLFSSL_ASN1_INTEGER *a);
@@ -3745,13 +3804,13 @@ WOLFSSL_API int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer,
 
 WOLFSSL_API char* wolfSSL_sk_WOLFSSL_STRING_value(
     WOLF_STACK_OF(WOLFSSL_STRING)* strings, int idx);
-#endif /* HAVE_OCSP */
+#endif /* HAVE_OCSP || OPENSSL_EXTRA || OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */
 
 WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bio,
     WOLFSSL_X509 *cert);
 
 #endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY ||
-    OPENSSL_EXTRA || HAVE_LIGHTY*/
+    OPENSSL_EXTRA || HAVE_LIGHTY */
 
 WOLFSSL_API void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl,
         const unsigned char **data, unsigned int *len);
@@ -3782,8 +3841,14 @@ WOLFSSL_API void wolfSSL_CTX_set_next_proto_select_cb(WOLFSSL_CTX *s,
 WOLFSSL_API void wolfSSL_get0_next_proto_negotiated(const WOLFSSL *s, const unsigned char **data,
         unsigned *len);
 
+#ifndef NO_ASN
+WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk,
+    size_t chklen, unsigned int flags, char **peername);
+WOLFSSL_API int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc,
+        unsigned int flags);
+#endif
 
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
 WOLFSSL_API const unsigned char *SSL_SESSION_get0_id_context(
         const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length);
@@ -3808,6 +3873,7 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_X509_PUBKEY_get(WOLFSSL_X509_PUBKEY* key);
 WOLFSSL_API int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key);
 WOLFSSL_API int i2t_ASN1_OBJECT(char *buf, int buf_len, WOLFSSL_ASN1_OBJECT *a);
 WOLFSSL_API int wolfSSL_i2a_ASN1_OBJECT(WOLFSSL_BIO *bp, WOLFSSL_ASN1_OBJECT *a);
+WOLFSSL_API int wolfSSL_i2d_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT *a, unsigned char **pp);
 WOLFSSL_API void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, WOLFSSL_DH *(*dh) (WOLFSSL *ssl, int is_export, int keylength));
 WOLFSSL_API WOLF_STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
 WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, const char *file, const char *dir);
@@ -3815,8 +3881,6 @@ WOLFSSL_API int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *ctx, WOLFSSL_X509
 WOLFSSL_API int wolfSSL_sk_SSL_CIPHER_num(const WOLF_STACK_OF(WOLFSSL_CIPHER)* p);
 WOLFSSL_API int wolfSSL_sk_SSL_CIPHER_find(
         WOLF_STACK_OF(WOLFSSL_CIPHER)* sk, const WOLFSSL_CIPHER* toFind);
-WOLFSSL_API WOLF_STACK_OF(WOLFSSL_CIPHER)* wolfSSL_sk_SSL_CIPHER_dup(
-        WOLF_STACK_OF(WOLFSSL_CIPHER)* in);
 WOLFSSL_API void wolfSSL_sk_SSL_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk);
 WOLFSSL_API int wolfSSL_sk_SSL_COMP_zero(WOLFSSL_STACK* st);
 WOLFSSL_API int wolfSSL_sk_SSL_COMP_num(WOLF_STACK_OF(WOLFSSL_COMP)* sk);
@@ -3843,10 +3907,9 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PKCS8PrivateKey_bio(WOLFSSL_BIO* bio,
     WOLFSSL_EVP_PKEY** pkey, pem_password_cb* cb, void* u);
 WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_AutoPrivateKey(
     WOLFSSL_EVP_PKEY** pkey, const unsigned char** data, long length);
-WOLFSSL_API unsigned long  wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509);
 
 
-#endif /* OPENSSL_EXTRA */
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 
 #ifdef HAVE_PK_CALLBACKS
 WOLFSSL_API int wolfSSL_IsPrivatePkSet(WOLFSSL* ssl);
@@ -3858,6 +3921,15 @@ WOLFSSL_API int wolfSSL_CTX_AllowEncryptThenMac(WOLFSSL_CTX *, int);
 WOLFSSL_API int wolfSSL_AllowEncryptThenMac(WOLFSSL *s, int);
 #endif
 
+/* This feature is used to set a fixed ephemeral key and is for testing only */
+/* Currently allows ECDHE and DHE only */
+#ifdef WOLFSSL_STATIC_EPHEMERAL
+WOLFSSL_API int wolfSSL_CTX_set_ephemeral_key(WOLFSSL_CTX* ctx, int keyAlgo,
+    const char* key, unsigned int keySz, int format);
+WOLFSSL_API int wolfSSL_set_ephemeral_key(WOLFSSL* ssl, int keyAlgo,
+    const char* key, unsigned int keySz, int format);
+#endif
+
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif

source/libwolfssl/test.h

@@ -55,6 +55,7 @@
     #endif
     #define SOCKET_T SOCKET
     #define SNPRINTF _snprintf
+    #define XSLEEP_MS(t) Sleep(t)
 #elif defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
     #include <string.h>
     #include "rl_net.h"
@@ -69,9 +70,9 @@
         return(ret) ;
     }
     #if defined(HAVE_KEIL_RTX)
-        #define sleep(t) os_dly_wait(t/1000+1);
+        #define XSLEEP_MS(t)  os_dly_wait(t)
     #elif defined(WOLFSSL_CMSIS_RTOS) || defined(WOLFSSL_CMSIS_RTOSv2)
-        #define sleep(t) osDelay(t/1000+1);
+        #define XSLEEP_MS(t)  osDelay(t)
     #endif
 #elif defined(WOLFSSL_TIRTOS)
     #include <string.h>
@@ -88,6 +89,7 @@
         char **h_addr_list; /* list of addresses from name server */
     };
     #define SOCKET_T int
+    #define XSLEEP_MS(t) Task_sleep(t/1000)
 #elif defined(WOLFSSL_VXWORKS)
     #include <hostLib.h>
     #include <sockLib.h>
@@ -148,8 +150,19 @@
         #include <signal.h>  /* ignore SIGPIPE */
     #endif
     #define SNPRINTF snprintf
+
+    #define XSELECT_WAIT(x,y) do { \
+        struct timeval tv = {(x),(y)}; \
+        select(0, NULL, NULL, NULL, &tv); \
+    } while (0)
+    #define XSLEEP_US(u) XSELECT_WAIT(0,u)
+    #define XSLEEP_MS(m) XSELECT_WAIT(0,(m)*1000)
 #endif /* USE_WINDOWS_API */
 
+#ifndef XSLEEP_MS
+    #define XSLEEP_MS(t) sleep(t/1000)
+#endif
+
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <libwolfssl/wolfcrypt/async.h>
 #endif
@@ -409,6 +422,7 @@ typedef struct callback_functions {
     ssl_callback ssl_ready;
     ssl_callback on_result;
     WOLFSSL_CTX* ctx;
+    unsigned char isSharedCtx:1;
 } callback_functions;
 
 typedef struct func_args {
@@ -1302,7 +1316,7 @@ static WC_INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint,
     (void)key_max_len;
 
     /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
-    strncpy(identity, kIdentityStr, id_max_len);
+    XSTRNCPY(identity, kIdentityStr, id_max_len);
 
     if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) {
         /* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using
@@ -1336,7 +1350,7 @@ static WC_INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identit
     (void)key_max_len;
 
     /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
-    if (strncmp(identity, kIdentityStr, strlen(kIdentityStr)) != 0)
+    if (XSTRNCMP(identity, kIdentityStr, XSTRLEN(kIdentityStr)) != 0)
         return 0;
 
     if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) {
@@ -1370,13 +1384,14 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
 {
     int i;
     int b = 0x01;
+    const char* userCipher = (const char*)wolfSSL_get_psk_callback_ctx(ssl);
 
     (void)ssl;
     (void)hint;
     (void)key_max_len;
 
     /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
-    strncpy(identity, kIdentityStr, id_max_len);
+    XSTRNCPY(identity, kIdentityStr, id_max_len);
 
     for (i = 0; i < 32; i++, b += 0x22) {
         if (b >= 0x100)
@@ -1384,7 +1399,7 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
         key[i] = b;
     }
 
-    *ciphersuite = "TLS13-AES128-GCM-SHA256";
+    *ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
 
     return 32;   /* length of key in octets or 0 for error */
 }
@@ -1396,12 +1411,13 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
 {
     int i;
     int b = 0x01;
+    const char* userCipher = (const char*)wolfSSL_get_psk_callback_ctx(ssl);
 
     (void)ssl;
     (void)key_max_len;
 
     /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
-    if (strncmp(identity, kIdentityStr, strlen(kIdentityStr)) != 0)
+    if (XSTRNCMP(identity, kIdentityStr, XSTRLEN(kIdentityStr)) != 0)
         return 0;
 
     for (i = 0; i < 32; i++, b += 0x22) {
@@ -1410,12 +1426,12 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
         key[i] = b;
     }
 
-    *ciphersuite = "TLS13-AES128-GCM-SHA256";
+    *ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
 
     return 32;   /* length of key in octets or 0 for error */
 }
 
-#endif /* NO_PSK */
+#endif /* !NO_PSK */
 
 
 #if defined(WOLFSSL_USER_CURRTIME)
@@ -1675,7 +1691,13 @@ static WC_INLINE void OCSPRespFreeCb(void* ioCtx, unsigned char* response)
     #endif /* !NO_FILESYSTEM || (NO_FILESYSTEM && FORCE_BUFFER_TEST) */
 #endif /* !NO_CERTS */
 
-static int myVerifyFail = 0;
+enum {
+    VERIFY_OVERRIDE_ERROR,
+    VERIFY_FORCE_FAIL,
+    VERIFY_USE_PREVERFIY,
+    VERIFY_OVERRIDE_DATE_ERR,
+};
+static THREAD_LS_T int myVerifyAction = VERIFY_OVERRIDE_ERROR;
 
 /* The verify callback is called for every certificate only when
  * --enable-opensslextra is defined because it sets WOLFSSL_ALWAYS_VERIFY_CB and
@@ -1727,7 +1749,7 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
         XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
         XFREE(issuer,  0, DYNAMIC_TYPE_OPENSSL);
 #if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
-/* avoid printing duplicate certs */
+        /* avoid printing duplicate certs */
         if (store->depth == 1) {
             /* retrieve x509 certs and display them on stdout */
             sk = wolfSSL_X509_STORE_GetCerts(store);
@@ -1762,37 +1784,24 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
     printf("\tSubject's domain name at %d is %s\n", store->error_depth, store->domain);
 
     /* Testing forced fail case by return zero */
-    if (myVerifyFail) {
+    if (myVerifyAction == VERIFY_FORCE_FAIL) {
         return 0; /* test failure case */
     }
 
+    if (myVerifyAction == VERIFY_OVERRIDE_DATE_ERR && 
+        (store->error == ASN_BEFORE_DATE_E || store->error == ASN_AFTER_DATE_E)) {
+        printf("Overriding cert date error as example for bad clock testing\n");
+        return 1;
+    }
+
     /* If error indicate we are overriding it for testing purposes */
-    if (store->error != 0) {
+    if (store->error != 0 && myVerifyAction == VERIFY_OVERRIDE_ERROR) {
         printf("\tAllowing failed certificate check, testing only "
             "(shouldn't do this in production)\n");
     }
 
     /* A non-zero return code indicates failure override */
-    return 1;
+    return (myVerifyAction == VERIFY_OVERRIDE_ERROR) ? 1 : preverify;
-}
-
-
-static WC_INLINE int myDateCb(int preverify, WOLFSSL_X509_STORE_CTX* store)
-{
-    char buffer[WOLFSSL_MAX_ERROR_SZ];
-    (void)preverify;
-
-    printf("In verification callback, error = %d, %s\n", store->error,
-                                 wolfSSL_ERR_error_string(store->error, buffer));
-    printf("Subject's domain name is %s\n", store->domain);
-
-    if (store->error == ASN_BEFORE_DATE_E || store->error == ASN_AFTER_DATE_E) {
-        printf("Overriding cert date error as example for bad clock testing\n");
-        return 1;
-    }
-    printf("Cert error is not date error, not overriding\n");
-
-    return 0;
 }
 
 
@@ -1952,7 +1961,7 @@ static WC_INLINE int StackSizeCheck(func_args* args, thread_func tf)
     int            ret, i, used;
     void*          status;
     unsigned char* myStack = NULL;
-    int            stackSize = 1024*152;
+    int            stackSize = 1024*176;
     pthread_attr_t myAttr;
     pthread_t      threadId;
 
@@ -2664,6 +2673,13 @@ static WC_INLINE int myEccSharedSecret(WOLFSSL* ssl, ecc_key* otherKey,
         ret = BAD_FUNC_ARG;
     }
 
+#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \
+                                                         !defined(HAVE_SELFTEST)
+    if (ret == 0) {
+        ret = wc_ecc_set_rng(privKey, wolfSSL_GetRNG(ssl));
+    }
+#endif
+
     /* generate shared secret and return it */
     if (ret == 0) {
         ret = wc_ecc_shared_secret(privKey, pubKey, out, outlen);
@@ -2873,7 +2889,7 @@ static WC_INLINE int myEd448Sign(WOLFSSL* ssl, const byte* in, word32 inSz,
     if (ret == 0) {
         ret = wc_Ed448PrivateKeyDecode(keyBuf, &idx, &myKey, keySz);
         if (ret == 0)
-            ret = wc_ed448_sign_msg(in, inSz, out, outSz, &myKey);
+            ret = wc_ed448_sign_msg(in, inSz, out, outSz, &myKey, NULL, 0);
         wc_ed448_free(&myKey);
     }
 
@@ -2905,7 +2921,8 @@ static WC_INLINE int myEd448Verify(WOLFSSL* ssl, const byte* sig, word32 sigSz,
     if (ret == 0) {
         ret = wc_ed448_import_public(key, keySz, &myKey);
         if (ret == 0) {
-            ret = wc_ed448_verify_msg(sig, sigSz, msg, msgSz, result, &myKey);
+            ret = wc_ed448_verify_msg(sig, sigSz, msg, msgSz, result, &myKey,
+                                                                       NULL, 0);
         }
         wc_ed448_free(&myKey);
     }
@@ -3605,15 +3622,16 @@ static WC_INLINE const char* mymktemp(char *tempfn, int len, int num)
                              int enc, byte* ticket, int inLen, int* outLen,
                              void* userCtx)
     {
-        (void)ssl;
-        (void)userCtx;
-
         int ret;
         word16 sLen = XHTONS(inLen);
         byte aad[WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + 2];
         int  aadSz = WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + 2;
         byte* tmp = aad;
 
+        (void)ssl;
+        (void)userCtx;
+
+        /* encrypt */
         if (enc) {
             XMEMCPY(key_name, myKey_ctx.name, WOLFSSL_TICKET_NAME_SZ);
 
@@ -3634,8 +3652,9 @@ static WC_INLINE const char* mymktemp(char *tempfn, int len, int num)
                                               mac);
             if (ret != 0) return WOLFSSL_TICKET_RET_REJECT;
             *outLen = inLen;  /* no padding in this mode */
-        } else {
+        }
-            /* decrypt */
+        /* decrypt */
+        else {
 
             /* see if we know this key */
             if (XMEMCMP(key_name, myKey_ctx.name, WOLFSSL_TICKET_NAME_SZ) != 0){
@@ -3662,7 +3681,7 @@ static WC_INLINE const char* mymktemp(char *tempfn, int len, int num)
         return WOLFSSL_TICKET_RET_OK;
     }
 
-#endif  /* HAVE_SESSION_TICKET && CHACHA20 && POLY1305 */
+#endif  /* HAVE_SESSION_TICKET && HAVE_CHACHA && HAVE_POLY1305 */
 
 static WC_INLINE word16 GetRandomPort(void)
 {

source/libwolfssl/version.h

@@ -28,8 +28,8 @@
 extern "C" {
 #endif
 
-#define LIBWOLFSSL_VERSION_STRING "4.4.0"
+#define LIBWOLFSSL_VERSION_STRING "4.5.0"
-#define LIBWOLFSSL_VERSION_HEX 0x04004000
+#define LIBWOLFSSL_VERSION_HEX 0x04005000
 
 #ifdef __cplusplus
 }

source/libwolfssl/wolfcrypt/aes.h

@@ -22,8 +22,15 @@
 /*!
     \file wolfssl/wolfcrypt/aes.h
 */
+/*
 
+DESCRIPTION
+This library provides the interfaces to the Advanced Encryption Standard (AES)
+for encrypting and decrypting data. AES is the standard known for a symmetric
+block cipher mechanism that uses n-bit binary string parameter key with 128-bits,
+192-bits, and 256-bits of key sizes.
 
+*/
 #ifndef WOLF_CRYPT_AES_H
 #define WOLF_CRYPT_AES_H
 

source/libwolfssl/wolfcrypt/asn.h

@@ -23,6 +23,14 @@
     \file wolfssl/wolfcrypt/asn.h
 */
 
+/*
+
+DESCRIPTION
+This library provides the interface to Abstract Syntax Notation One (ASN.1) objects.
+ASN.1 is a standard interface description language for defining data structures
+that can be serialized and deserialized in a cross-platform way.
+
+*/
 #ifndef WOLF_CRYPT_ASN_H
 #define WOLF_CRYPT_ASN_H
 
@@ -233,6 +241,7 @@ enum
     NID_jurisdictionStateOrProvinceName = 0xd,
     NID_businessCategory = ASN_BUS_CAT,
     NID_domainComponent = ASN_DOMAIN_COMPONENT,
+    NID_userId = 458,
     NID_emailAddress = 0x30,           /* emailAddress */
     NID_id_on_dnsSRV = 82,             /* 1.3.6.1.5.5.7.8.7 */
     NID_ms_upn = 265,                  /* 1.3.6.1.4.1.311.20.2.3 */
@@ -341,7 +350,8 @@ enum Misc_ASN {
     #endif
                                    /* Max total extensions, id + len + others */
 #endif
-#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
+#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \
+        defined(HAVE_PKCS7) || defined(OPENSSL_EXTRA_X509_SMALL)
     MAX_OID_SZ          = 32,      /* Max DER length of OID*/
     MAX_OID_STRING_SZ   = 64,      /* Max string length representation of OID*/
 #endif
@@ -356,7 +366,7 @@ enum Misc_ASN {
     MAX_CERTPOL_SZ      = CTC_MAX_CERTPOL_SZ,
 #endif
     MAX_AIA_SZ          = 2,       /* Max Authority Info Access extension size*/
-    MAX_NAME_ENTRIES    = 5,       /* extra entries added to x509 name struct */
+    MAX_NAME_ENTRIES    = 13,      /* entries added to x509 name struct */
     OCSP_NONCE_EXT_SZ   = 35,      /* OCSP Nonce Extension size */
     MAX_OCSP_EXT_SZ     = 58,      /* Max OCSP Extension length */
     MAX_OCSP_NONCE_SZ   = 16,      /* OCSP Nonce size           */
@@ -371,6 +381,8 @@ enum Misc_ASN {
     TRAILING_ZERO       = 1,       /* Used for size of zero pad */
     ASN_TAG_SZ          = 1,       /* single byte ASN.1 tag */
     MIN_VERSION_SZ      = 3,       /* Min bytes needed for GetMyVersion */
+    MAX_X509_VERSION    = 3,       /* Max X509 version allowed */
+    MIN_X509_VERSION    = 0,       /* Min X509 version allowed */
 #if defined(OPENSSL_ALL)  || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
     defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
     defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
@@ -609,64 +621,6 @@ struct Base_entry {
     byte        type;   /* Name base type (DNS or RFC822) */
 };
 
-#define DOMAIN_COMPONENT_MAX 10
-#define DN_NAMES_MAX 9
-
-struct DecodedName {
-    char*   fullName;
-    int     fullNameLen;
-    int     entryCount;
-    int     cnIdx;
-    int     cnLen;
-    int     cnNid;
-    int     snIdx;
-    int     snLen;
-    int     snNid;
-    int     cIdx;
-    int     cLen;
-    int     cNid;
-    int     lIdx;
-    int     lLen;
-    int     lNid;
-    int     stIdx;
-    int     stLen;
-    int     stNid;
-    int     oIdx;
-    int     oLen;
-    int     oNid;
-    int     ouIdx;
-    int     ouLen;
-#ifdef WOLFSSL_CERT_EXT
-    int     bcIdx;
-    int     bcLen;
-    int     jcIdx;
-    int     jcLen;
-    int     jsIdx;
-    int     jsLen;
-#endif
-    int     ouNid;
-    int     emailIdx;
-    int     emailLen;
-    int     emailNid;
-    int     uidIdx;
-    int     uidLen;
-    int     uidNid;
-    int     serialIdx;
-    int     serialLen;
-    int     serialNid;
-    int     dcIdx[DOMAIN_COMPONENT_MAX];
-    int     dcLen[DOMAIN_COMPONENT_MAX];
-    int     dcNum;
-    int     dcMode;
-#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-    /* hold the location / order with which each of the DN tags was found
-     *
-     * example of ASN_DOMAIN_COMPONENT at index 0 if first found and so on.
-     */
-    int     loc[DOMAIN_COMPONENT_MAX + DN_NAMES_MAX];
-    int     locSz;
-#endif
-};
 
 enum SignatureState {
     SIG_STATE_BEGIN,
@@ -784,7 +738,6 @@ struct CertSignCtx {
 #endif
 
 typedef struct DecodedCert DecodedCert;
-typedef struct DecodedName DecodedName;
 typedef struct Signer      Signer;
 #ifdef WOLFSSL_TRUST_PEER_CERT
 typedef struct TrustedPeerCert TrustedPeerCert;
@@ -911,8 +864,9 @@ struct DecodedCert {
     int     subjectEmailLen;
 #endif /* WOLFSSL_CERT_GEN */
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-    DecodedName issuerName;
+    /* WOLFSSL_X509_NAME structures (used void* to avoid including ssl.h) */
-    DecodedName subjectName;
+    void* issuerName;
+    void* subjectName;
 #endif /* OPENSSL_EXTRA */
 #ifdef WOLFSSL_SEP
     int     deviceTypeSz;
@@ -1052,6 +1006,7 @@ struct TrustedPeerCert {
 #endif
 
 WOLFSSL_LOCAL int CalcHashId(const byte* data, word32 len, byte* hash);
+WOLFSSL_LOCAL int GetName(DecodedCert* cert, int nameType, int maxIdx);
 
 WOLFSSL_ASN_API int wc_BerToDer(const byte* ber, word32 berSz, byte* der,
                                 word32* derSz);
@@ -1118,12 +1073,14 @@ WOLFSSL_LOCAL int GetAsnTimeString(void* currTime, byte* buf, word32 len);
 WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format,
                                                  wolfssl_tm* certTime, int* idx);
 WOLFSSL_LOCAL int DateGreaterThan(const struct tm* a, const struct tm* b);
-WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType);
+WOLFSSL_LOCAL int wc_ValidateDate(const byte* date, byte format, int dateType);
 WOLFSSL_LOCAL int wc_OBJ_sn2nid(const char *sn);
 
 /* ASN.1 helper functions */
 #ifdef WOLFSSL_CERT_GEN
 WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name);
+WOLFSSL_LOCAL const char* GetOneCertName(CertName* name, int idx);
+WOLFSSL_LOCAL byte GetCertNameId(int idx);
 #endif
 WOLFSSL_LOCAL int GetShortInt(const byte* input, word32* inOutIdx, int* number,
                               word32 maxIdx);

source/libwolfssl/wolfcrypt/asn_public.h

@@ -23,6 +23,11 @@
     \file wolfssl/wolfcrypt/asn_public.h
 */
 
+/*
+DESCRIPTION
+This library defines the interface APIs for X509 certificates.
+
+*/
 #ifndef WOLF_CRYPT_ASN_PUBLIC_H
 #define WOLF_CRYPT_ASN_PUBLIC_H
 

source/libwolfssl/wolfcrypt/chacha.h

@@ -18,7 +18,12 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
+/*
 
+DESCRIPTION
+This library contains implementation for the ChaCha20 stream cipher.
+
+*/
 /*!
     \file wolfssl/wolfcrypt/chacha.h
 */
@@ -35,9 +40,21 @@
     extern "C" {
 #endif
 
+/*
+Initialization vector starts at 13 with zero being the index origin of a matrix.
+Block counter is located at index 12.
+  0   1   2   3
+  4   5   6   7
+  8   9   10  11
+  12  13  14  15
+*/
+#define CHACHA_MATRIX_CNT_IV 12
+
 /* Size of the IV */
 #define CHACHA_IV_WORDS    3
-#define CHACHA_IV_BYTES    (CHACHA_IV_WORDS * sizeof(word32))
+
+/* Size of IV in bytes*/
+#define CHACHA_IV_BYTES 12
 
 /* Size of ChaCha chunks */
 #define CHACHA_CHUNK_WORDS 16
@@ -57,10 +74,13 @@ enum {
 
 typedef struct ChaCha {
     word32 X[CHACHA_CHUNK_WORDS];           /* state of cipher */
-    word32 left;                            /* number of bytes leftover */
 #ifdef HAVE_INTEL_AVX1
     /* vpshufd reads 16 bytes but we only use bottom 4. */
     byte extra[12];
+#endif
+    word32 left;                            /* number of bytes leftover */
+#ifdef USE_INTEL_CHACHA_SPEEDUP
+    word32 over[CHACHA_CHUNK_WORDS];
 #endif
 } ChaCha;
 

source/libwolfssl/wolfcrypt/chacha20_poly1305.h

@@ -18,12 +18,14 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
+/*
 
+DESCRIPTION
+This library contains implementation for the ChaCha20 stream cipher and
+the Poly1305 authenticator, both as as combined-mode,
+or Authenticated Encryption with Additional Data (AEAD) algorithm.
 
-/* This implementation of the ChaCha20-Poly1305 AEAD is based on "ChaCha20
+*/
- * and Poly1305 for IETF protocols" (draft-irtf-cfrg-chacha20-poly1305-10):
- * https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10
- */
 
 /*!
     \file wolfssl/wolfcrypt/chacha20_poly1305.h
@@ -45,6 +47,7 @@
 #define CHACHA20_POLY1305_AEAD_KEYSIZE      32
 #define CHACHA20_POLY1305_AEAD_IV_SIZE      12
 #define CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE 16
+#define CHACHA20_POLY1305_MAX               4294967295U
 
 enum {
     CHACHA20_POLY_1305_ENC_TYPE = 8,    /* cipher unique type */

source/libwolfssl/wolfcrypt/cryptocb.h

@@ -6,7 +6,7 @@
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
  *
  * wolfSSL is distributed in the hope that it will be useful,

source/libwolfssl/wolfcrypt/curve25519.h

@@ -86,6 +86,10 @@ enum {
     EC25519_BIG_ENDIAN=1
 };
 
+WOLFSSL_API
+int wc_curve25519_make_pub(int public_size, byte* pub, int private_size,
+                           const byte* priv);
+
 WOLFSSL_API
 int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key);
 

source/libwolfssl/wolfcrypt/dh.h

@@ -45,11 +45,19 @@
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <libwolfssl/wolfcrypt/async.h>
 #endif
+
+/* Optional support extended DH public / private keys */
+#if !defined(WOLFSSL_DH_EXTRA) && (defined(WOLFSSL_QT) || \
+        defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH) || \
+        defined(WOLFSSL_STATIC_EPHEMERAL))
+    #define WOLFSSL_DH_EXTRA
+#endif
+
 typedef struct DhParams {
-    #ifdef HAVE_FFDHE_Q
+#ifdef HAVE_FFDHE_Q
     const byte* q;
     word32      q_len;
-    #endif /* HAVE_FFDHE_Q */
+#endif /* HAVE_FFDHE_Q */
     const byte* p;
     word32      p_len;
     const byte* g;
@@ -58,8 +66,8 @@ typedef struct DhParams {
 
 /* Diffie-Hellman Key */
 struct DhKey {
-    mp_int p, g, q;                         /* group parameters  */
+    mp_int p, g, q; /* group parameters */
-#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH)
+#ifdef WOLFSSL_DH_EXTRA
     mp_int pub;
     mp_int priv;
 #endif
@@ -101,15 +109,20 @@ WOLFSSL_API int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz,
                        word32 pubSz);
 
 WOLFSSL_API int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key,
-                           word32);
+                           word32); /* wc_DhKeyDecode is in asn.c */
+
 WOLFSSL_API int wc_DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g,
                         word32 gSz);
 WOLFSSL_API int wc_DhSetKey_ex(DhKey* key, const byte* p, word32 pSz,
                         const byte* g, word32 gSz, const byte* q, word32 qSz);
-#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
+
-WOLFSSL_LOCAL int wc_DhSetFullKeys(DhKey* key,const byte* priv_key,word32 privSz,
+#ifdef WOLFSSL_DH_EXTRA
-                                   const byte* pub_key, word32 pubSz);
+WOLFSSL_API int wc_DhImportKeyPair(DhKey* key, const byte* priv, word32 privSz,
-#endif
+                                   const byte* pub, word32 pubSz);
+WOLFSSL_API int wc_DhExportKeyPair(DhKey* key, byte* priv, word32* pPrivSz, 
+                                   byte* pub, word32* pPubSz);
+#endif /* WOLFSSL_DH_EXTRA */
+
 WOLFSSL_API int wc_DhSetCheckKey(DhKey* key, const byte* p, word32 pSz,
                         const byte* g, word32 gSz, const byte* q, word32 qSz,
                         int trusted, WC_RNG* rng);
@@ -136,4 +149,3 @@ WOLFSSL_API int wc_DhExportParamsRaw(DhKey* dh, byte* p, word32* pSz,
 
 #endif /* NO_DH */
 #endif /* WOLF_CRYPT_DH_H */
-

source/libwolfssl/wolfcrypt/ecc.h

@@ -50,7 +50,7 @@
     #endif
 #endif
 
-#ifdef WOLFSSL_ATECC508A
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
     #include <libwolfssl/wolfcrypt/port/atmel/atmel.h>
 #endif /* WOLFSSL_ATECC508A */
 
@@ -58,6 +58,11 @@
     #include <libwolfssl/wolfcrypt/port/arm/cryptoCell.h>
 #endif
 
+#ifdef WOLFSSL_HAVE_SP_ECC
+    #include <libwolfssl/wolfcrypt/sp_int.h>
+#endif
+
+
 #ifdef __cplusplus
     extern "C" {
 #endif
@@ -127,7 +132,7 @@ enum {
     ECC_MAX_SIG_SIZE= ((MAX_ECC_BYTES * 2) + ECC_MAX_PAD_SZ + SIG_HEADER_SZ),
 
     /* max crypto hardware size */
-#ifdef WOLFSSL_ATECC508A
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
     ECC_MAX_CRYPTO_HW_SIZE = ATECC_KEY_SIZE, /* from port/atmel/atmel.h */
     ECC_MAX_CRYPTO_HW_PUBKEY_SIZE = (ATECC_KEY_SIZE*2),
 #elif defined(PLUTON_CRYPTO_ECC)
@@ -278,14 +283,15 @@ typedef struct ecc_set_type {
  * mp_ints for the components of the point. With ALT_ECC_SIZE, the components
  * of the point are pointers that are set to each of a three item array of
  * alt_fp_ints. While an mp_int will have 4096 bits of digit inside the
- * structure, the alt_fp_int will only have 528 bits. A size value was added
+ * structure, the alt_fp_int will only have 512 bits for ECC 256-bit and 
- * in the ALT case, as well, and is set by mp_init() and alt_fp_init(). The
+ * 1056-bits for ECC 521-bit. A size value was added in the ALT case, as well, 
- * functions fp_zero() and fp_copy() use the size parameter. An int needs to
+ * and is set by mp_init() and alt_fp_init(). The functions fp_zero() and 
- * be initialized before using it instead of just fp_zeroing it, the init will
+ * fp_copy() use the size parameter. An int needs to be initialized before 
- * call zero. FP_MAX_BITS_ECC defaults to 528, but can be set to change the
+ * using it instead of just fp_zeroing it, the init will call zero. The 
- * number of bits used in the alternate FP_INT.
+ * FP_MAX_BITS_ECC defaults to calculating based on MAX_ECC_BITS, but 
+ * can be set to change the number of bits used in the alternate FP_INT.
  *
- * Do not enable ALT_ECC_SIZE and disable fast math in the configuration.
+ * The ALT_ECC_SIZE option only applies to stack based fast math USE_FAST_MATH.
  */
 
 #ifndef USE_FAST_MATH
@@ -294,19 +300,18 @@ typedef struct ecc_set_type {
 
 /* determine max bits required for ECC math */
 #ifndef FP_MAX_BITS_ECC
-    /* check alignment */
+    /* max bits rounded up by 8 then doubled */
-    #if ((MAX_ECC_BITS * 2) % DIGIT_BIT) == 0
+    /* (ROUND8(MAX_ECC_BITS) * 2) */
-        /* max bits is double */
+    #define FP_MAX_BITS_ECC (2 * \
-        #define FP_MAX_BITS_ECC     (MAX_ECC_BITS * 2)
+        ((MAX_ECC_BITS + DIGIT_BIT - 1) / DIGIT_BIT) * DIGIT_BIT)
-    #else
+
-        /* max bits is doubled, plus one digit of fudge */
+    /* Note: For ECC verify only FP_MAX_BITS_ECC can be reduced to:
-        #define FP_MAX_BITS_ECC     ((MAX_ECC_BITS * 2) + DIGIT_BIT)
+             ROUND8(MAX_ECC_BITS) + ROUND8(DIGIT_BIT) */
-    #endif
+#endif
-#else
+
-    /* verify alignment */
+/* verify alignment */
-    #if FP_MAX_BITS_ECC % CHAR_BIT
+#if FP_MAX_BITS_ECC % CHAR_BIT
-       #error FP_MAX_BITS_ECC must be a multiple of CHAR_BIT
+    #error FP_MAX_BITS_ECC must be a multiple of CHAR_BIT
-    #endif
 #endif
 
 /* determine buffer size */
@@ -353,6 +358,19 @@ enum {
 #endif
 };
 
+/* ECC non-blocking */
+#ifdef WC_ECC_NONBLOCK
+    typedef struct ecc_nb_ctx {
+    #if defined(WOLFSSL_HAVE_SP_ECC) && defined(WOLFSSL_SP_NONBLOCK)
+        sp_ecc_ctx_t sp_ctx;
+    #else
+        /* build configuration not supported */
+        #error ECC non-blocking only supports SP (--enable-sp=nonblock)
+    #endif
+    } ecc_nb_ctx_t;
+#endif /* WC_ECC_NONBLOCK */
+
+
 /* An ECC Key */
 struct ecc_key {
     int type;           /* Public or Private */
@@ -369,7 +387,7 @@ struct ecc_key {
     void* heap;         /* heap hint */
     ecc_point pubkey;   /* public key */
     mp_int    k;        /* private key */
-#ifdef WOLFSSL_ATECC508A
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
     int  slot;        /* Key Slot Number (-1 unknown) */
     byte pubkey_raw[ECC_MAX_CRYPTO_HW_PUBKEY_SIZE];
 #endif
@@ -413,6 +431,12 @@ struct ecc_key {
 #ifdef WOLFSSL_DSP
     remote_handle64 handle;
 #endif
+#ifdef ECC_TIMING_RESISTANT
+    WC_RNG* rng;
+#endif
+#ifdef WC_ECC_NONBLOCK
+    ecc_nb_ctx_t* nb_ctx;
+#endif
 };
 
 
@@ -427,7 +451,7 @@ extern const size_t ecc_sets_count;
 WOLFSSL_API
 const char* wc_ecc_get_name(int curve_id);
 
-#ifndef WOLFSSL_ATECC508A
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
 
 #ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
     #define ECC_API    WOLFSSL_API
@@ -455,6 +479,8 @@ int wc_ecc_make_key_ex(WC_RNG* rng, int keysize, ecc_key* key, int curve_id);
 WOLFSSL_API
 int wc_ecc_make_pub(ecc_key* key, ecc_point* pubOut);
 WOLFSSL_API
+int wc_ecc_make_pub_ex(ecc_key* key, ecc_point* pubOut, WC_RNG* rng);
+WOLFSSL_API
 int wc_ecc_check_key(ecc_key* key);
 WOLFSSL_API
 int wc_ecc_is_point(ecc_point* ecp, mp_int* a, mp_int* b, mp_int* prime);
@@ -472,7 +498,8 @@ WOLFSSL_API
 int wc_ecc_shared_secret_ex(ecc_key* private_key, ecc_point* point,
                              byte* out, word32 *outlen);
 
-#if defined(WOLFSSL_ATECC508A) || defined(PLUTON_CRYPTO_ECC) || defined(WOLFSSL_CRYPTOCELL)
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
+    defined(PLUTON_CRYPTO_ECC) || defined(WOLFSSL_CRYPTOCELL)
 #define wc_ecc_shared_secret_ssh wc_ecc_shared_secret
 #else
 #define wc_ecc_shared_secret_ssh wc_ecc_shared_secret_ex /* For backwards compat */
@@ -521,6 +548,12 @@ WOLFSSL_API
 int wc_ecc_set_flags(ecc_key* key, word32 flags);
 WOLFSSL_API
 void wc_ecc_fp_free(void);
+WOLFSSL_LOCAL
+void wc_ecc_fp_init(void);
+#ifdef ECC_TIMING_RESISTANT
+WOLFSSL_API
+int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
+#endif
 
 WOLFSSL_API
 int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);
@@ -568,14 +601,20 @@ WOLFSSL_API
 int wc_ecc_cmp_point(ecc_point* a, ecc_point *b);
 WOLFSSL_API
 int wc_ecc_point_is_at_infinity(ecc_point *p);
+WOLFSSL_API
+int wc_ecc_point_is_on_curve(ecc_point *p, int curve_idx);
 
-#ifndef WOLFSSL_ATECC508A
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
 WOLFSSL_API
 int wc_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R,
                   mp_int* a, mp_int* modulus, int map);
 WOLFSSL_LOCAL
 int wc_ecc_mulmod_ex(mp_int* k, ecc_point *G, ecc_point *R,
                   mp_int* a, mp_int* modulus, int map, void* heap);
+WOLFSSL_LOCAL
+int wc_ecc_mulmod_ex2(mp_int* k, ecc_point *G, ecc_point *R, mp_int* a,
+                      mp_int* modulus, mp_int* order, WC_RNG* rng, int map,
+                      void* heap);
 #endif /* !WOLFSSL_ATECC508A */
 
 
@@ -754,6 +793,10 @@ int sp_dsp_ecc_verify_256(remote_handle64 handle, const byte* hash, word32 hashL
     mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap);
 #endif
 
+#ifdef WC_ECC_NONBLOCK
+    WOLFSSL_API int wc_ecc_set_nonblock(ecc_key *key, ecc_nb_ctx_t* ctx);
+#endif
+
 #ifdef __cplusplus
     }    /* extern "C" */
 #endif

source/libwolfssl/wolfcrypt/error-crypt.h

@@ -22,6 +22,11 @@
 /*!
     \file wolfssl/wolfcrypt/error-crypt.h
 */
+/*
+DESCRIPTION
+This library defines error codes and contians routines for setting and examining
+the error status.
+*/
 
 #ifndef WOLF_CRYPT_ERROR_H
 #define WOLF_CRYPT_ERROR_H
@@ -227,10 +232,10 @@ enum {
     CRYPTOCB_UNAVAILABLE= -271,  /* Crypto callback unavailable */
     PKCS7_SIGNEEDS_CHECK= -272,  /* signature needs verified by caller */
     PSS_SALTLEN_RECOVER_E=-273,  /* PSS slat length not recoverable */
+    CHACHA_POLY_OVERFLOW =-274,  /* ChaCha20Poly1305 limit overflow */
+    ASN_SELF_SIGNED_E   = -275,  /* ASN self-signed certificate error */
 
-    ASN_SELF_SIGNED_E   = -274, /* ASN self-signed certificate error */
+    WC_LAST_E           = -275,  /* Update this to indicate last error */
-
-    WC_LAST_E           = -274,  /* Update this to indicate last error */
     MIN_CODE_E          = -300   /* errors -101 - -299 */
 
     /* add new companion error id strings for any new error codes

source/libwolfssl/wolfcrypt/fe_448.h

@@ -40,7 +40,7 @@
 #endif
 
 /* default to be faster but take more memory */
-#if !defined(CURVE448_SMALL) || !defined(ED448_SMALL)
+#if !defined(CURVE448_SMALL) && !defined(ED448_SMALL)
 
 #if defined(CURVED448_128BIT)
     typedef int64_t fe448;

source/libwolfssl/wolfcrypt/fe_operations.h

@@ -79,7 +79,7 @@ Bounds on each t[i] vary depending on context.
 #if !defined(FREESCALE_LTC_ECC)
 WOLFSSL_LOCAL void fe_init(void);
 
-WOLFSSL_LOCAL int  curve25519(byte * q, byte * n, byte * p);
+WOLFSSL_LOCAL int  curve25519(byte * q, const byte * n, const byte * p);
 #endif
 
 /* default to be faster but take more memory */

source/libwolfssl/wolfcrypt/hmac.h

@@ -131,11 +131,11 @@ typedef union {
 #ifdef WOLFSSL_SHA3
     wc_Sha3 sha3;
 #endif
-} Hash;
+} wc_Hmac_Hash;
 
 /* Hmac digest */
 struct Hmac {
-    Hash    hash;
+    wc_Hmac_Hash    hash;
     word32  ipad[WC_HMAC_BLOCK_SIZE  / sizeof(word32)];  /* same block size all*/
     word32  opad[WC_HMAC_BLOCK_SIZE  / sizeof(word32)];
     word32  innerHash[WC_MAX_DIGEST_SIZE / sizeof(word32)];

source/libwolfssl/wolfcrypt/integer.h

@@ -318,6 +318,7 @@ MP_API int  mp_is_bit_set (mp_int * a, mp_digit b);
 MP_API int  mp_mod (mp_int * a, mp_int * b, mp_int * c);
 MP_API int  mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d);
 MP_API int  mp_div_2(mp_int * a, mp_int * b);
+MP_API int  mp_div_2_mod_ct (mp_int* a, mp_int* b, mp_int* c);
 MP_API int  mp_add (mp_int * a, mp_int * b, mp_int * c);
 int  s_mp_add (mp_int * a, mp_int * b, mp_int * c);
 int  s_mp_sub (mp_int * a, mp_int * b, mp_int * c);
@@ -332,6 +333,7 @@ MP_API int  mp_exptmod_base_2 (mp_int * X, mp_int * P, mp_int * Y);
 MP_API int  mp_montgomery_setup (mp_int * n, mp_digit * rho);
 int  fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho);
 MP_API int  mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho);
+#define mp_montgomery_reduce_ex(x, n, rho, ct) mp_montgomery_reduce (x, n, rho)
 MP_API void mp_dr_setup(mp_int *a, mp_digit *d);
 MP_API int  mp_dr_reduce (mp_int * x, mp_int * n, mp_digit k);
 MP_API int  mp_reduce_2k(mp_int *a, mp_int *n, mp_digit d);
@@ -355,6 +357,8 @@ MP_API int  mp_sqr (mp_int * a, mp_int * b);
 MP_API int  mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d);
 MP_API int  mp_submod (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_addmod (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
+MP_API int  mp_submod_ct (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
+MP_API int  mp_addmod_ct (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_mul_d (mp_int * a, mp_digit b, mp_int * c);
 MP_API int  mp_2expt (mp_int * a, int b);
 MP_API int  mp_set_bit (mp_int * a, int b);

source/libwolfssl/wolfcrypt/memory.h

@@ -110,7 +110,11 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb*,
         #elif defined (OPENSSL_EXTRA)
             /* extra storage in structs for multiple attributes and order */
             #ifndef LARGEST_MEM_BUCKET
-                #define LARGEST_MEM_BUCKET 25600
+                #ifdef WOLFSSL_TLS13
+                    #define LARGEST_MEM_BUCKET 30400
+                #else
+                    #define LARGEST_MEM_BUCKET 25600
+                #endif
             #endif
             #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3360,4480,\
                                     LARGEST_MEM_BUCKET

source/libwolfssl/wolfcrypt/misc.h

@@ -18,9 +18,13 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
+/*
 
+DESCRIPTION
+This module implements the arithmetic-shift right, left, byte swapping, XOR,
+masking and clearing memory logic.
 
-
+*/
 #ifndef WOLF_CRYPT_MISC_H
 #define WOLF_CRYPT_MISC_H
 

source/libwolfssl/wolfcrypt/pkcs11.h

@@ -6,7 +6,7 @@
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
  *
  * wolfSSL is distributed in the hope that it will be useful,

source/libwolfssl/wolfcrypt/pkcs7.h

@@ -154,8 +154,9 @@ enum Pkcs7_Misc {
                             MAX_SEQ_SZ + ASN_NAME_MAX + MAX_SN_SZ +
                             MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ,
 #if (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
-     (HAVE_FIPS_VERSION >= 2)) || defined(HAVE_SELFTEST)
+     (HAVE_FIPS_VERSION >= 2)) || (defined(HAVE_SELFTEST) && \
-    /* In the event of fips cert 3389 or CAVP selftest build, these enums are
+     (!defined(HAVE_SELFTEST_VERSION) || HAVE_SELFTEST_VERSION < 2))
+    /* In the event of fips cert 3389 or CAVP selftest v1 build, these enums are
      * not in aes.h for use with pkcs7 so enumerate it here outside the fips
      * boundary */
     GCM_NONCE_MID_SZ = 12, /* The usual default nonce size for AES-GCM. */

source/libwolfssl/wolfcrypt/poly1305.h

@@ -119,9 +119,12 @@ WOLFSSL_API int wc_Poly1305_EncodeSizes(Poly1305* ctx, word32 aadSz, word32 data
 WOLFSSL_API int wc_Poly1305_MAC(Poly1305* ctx, byte* additional, word32 addSz,
                                byte* input, word32 sz, byte* tag, word32 tagSz);
 
-void poly1305_block(Poly1305* ctx, const unsigned char *m);
+#if defined(__aarch64__ ) && defined(WOLFSSL_ARMASM)
 void poly1305_blocks(Poly1305* ctx, const unsigned char *m,
                             size_t bytes);
+void poly1305_block(Poly1305* ctx, const unsigned char *m);
+#endif
+
 #ifdef __cplusplus
     } /* extern "C" */
 #endif

source/libwolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h

@@ -35,6 +35,13 @@
 extern "C" {
 #endif
 
+#define TSIP_SESSIONKEY_NONCE_SIZE      8
+
+typedef enum {
+    WOLFSSL_TSIP_NOERROR = 0,
+    WOLFSSL_TSIP_ILLEGAL_CIPHERSUITE = 0xffffffff,
+}wolfssl_tsip_error_number;
+
 typedef enum {
     tsip_Key_SESSION = 1,
     tsip_Key_AES128  = 2,
@@ -52,6 +59,34 @@ enum {
     l_TLS_RSA_WITH_AES_256_CBC_SHA256  = 0x3d,
 };
 
+#if defined(WOLFSSL_RENESAS_TSIP_TLS) && (WOLFSSL_RENESAS_TSIP_VER >=109) 
+
+typedef struct
+{
+    uint8_t                          *encrypted_provisioning_key;
+    uint8_t                          *iv;
+    uint8_t                          *encrypted_user_tls_key;
+    uint32_t                          encrypted_user_tls_key_type;
+    tsip_tls_ca_certification_public_key_index_t  user_rsa2048_tls_pubindex;
+} tsip_key_data;
+
+void tsip_inform_user_keys_ex(
+        byte*       provisioning_key,   /* key got from DLM server */
+        byte*       iv,                 /* iv used for public key  */
+        byte*       encrypted_public_key,/*RSA2048 or ECDSAp256 public key*/
+        word32      public_key_type);   /* 0: RSA-2048 2:ECDSA P-256 */    
+
+int tsip_generateMasterSecretEx(
+        byte        cipherSuiteFirst,
+        byte        cipherSuite,
+        const byte* pr,                 /* pre-master    */
+        const byte* cr,                 /* client random */
+        const byte* sr,                 /* server random */
+        byte*       ms);
+
+
+#elif defined(WOLFSSL_RENESAS_TSIP_TLS) && (WOLFSSL_RENESAS_TSIP_VER >=106)
+
 typedef struct
 {
     uint8_t                          *encrypted_session_key;
@@ -60,45 +95,81 @@ typedef struct
     tsip_tls_ca_certification_public_key_index_t  user_rsa2048_tls_pubindex;
 } tsip_key_data;
 
-struct WOLFSSL;
-
-int  tsip_Open( );
-void tsip_Close( );
-int tsip_hw_lock();
-void tsip_hw_unlock( void );
-int tsip_usable(const struct WOLFSSL *ssl);
-void tsip_inform_sflash_signedcacert(const byte *ps_flash, 
-    const byte *psigned_ca_cert, word32 len);
-void tsip_inform_cert_sign(const byte *sign);
-/* set / get key */
 void tsip_inform_user_keys(byte *encrypted_session_key, byte *iv,
                            byte *encrypted_user_tls_key);
-                           
-byte tsip_rootCAverified( );
-byte tsip_checkCA(word32 cmIdx);
-int tsip_tls_RootCertVerify(const byte *cert  , word32 cert_len,
-                            word32 key_n_start, word32 key_n_len,
-                            word32 key_e_start, word32 key_e_len,
-                            word32 cm_row);
-int tsip_tls_CertVerify(const byte *cert, word32 certSz,
-                        const byte *signature, word32 sigSz,
-                        word32 key_n_start, word32 key_n_len,
-                        word32 key_e_start, word32 key_e_len,
-                        byte *tsip_encRsaKeyIdx);
-void tsip_inform_key_position(const word32 key_n_start, const word32 key_n_len,
-                              const word32 key_e_start, const word32 key_e_len);
-int tsip_generatePremasterSecret(byte *premaster, word32 preSz);
-int tsip_generateEncryptPreMasterSecret(struct WOLFSSL *ssl, byte *out, 
-                                        word32 *outSz);
 int tsip_generateMasterSecret(const byte *pre, const byte *cr,const byte *sr,
                               byte *ms);
-int tsip_generateSeesionKey(struct WOLFSSL *ssl);
+#endif
-int tsip_Sha256Hmac(const struct WOLFSSL *ssl, const byte *myInner, 
+
-            word32 innerSz, const byte *in, word32 sz, byte *digest, 
+struct WOLFSSL;
-            word32 verify);
+
-int tsip_Sha1Hmac(const struct WOLFSSL *ssl, const byte *myInner, 
+int     tsip_Open();
-            word32 innerSz, const byte *in, word32 sz, byte *digest, 
+
-            word32 verify);
+void    tsip_Close();
+
+int     tsip_hw_lock();
+
+void    tsip_hw_unlock( void );
+
+int     tsip_usable(const struct WOLFSSL *ssl);
+
+void    tsip_inform_sflash_signedcacert(
+            const byte* ps_flash, 
+            const byte* psigned_ca_cert,
+            word32      len);
+void    tsip_inform_cert_sign(const byte *sign);                           
+
+byte    tsip_rootCAverified();
+
+byte    tsip_checkCA(word32 cmIdx);
+
+int     tsip_tls_RootCertVerify(
+            const   byte* cert,         word32 cert_len,
+            word32  key_n_start,        word32 key_n_len,
+            word32  key_e_start,        word32 key_e_len,
+            word32  cm_row);
+
+int     tsip_tls_CertVerify(
+            const   byte* cert,         word32 certSz,
+            const   byte* signature,    word32 sigSz,
+            word32  key_n_start,        word32 key_n_len,
+            word32  key_e_start,        word32 key_e_len,
+            byte*   tsip_encRsaKeyIdx);
+
+void    tsip_inform_key_position(
+            const word32 key_n_start,
+            const word32 key_n_len,
+            const word32 key_e_start,
+            const word32 key_e_len);
+
+int     tsip_generatePremasterSecret(
+            byte*   premaster,
+            word32  preSz);
+
+int     tsip_generateEncryptPreMasterSecret(
+            struct WOLFSSL* ssl, 
+            byte*           out, 
+            word32*         outSz);
+
+int     tsip_generateSeesionKey(struct WOLFSSL *ssl);
+
+int     tsip_Sha256Hmac(
+            const struct WOLFSSL *ssl,
+            const byte* myInner, 
+            word32      innerSz,
+            const byte* in,
+            word32      sz,
+            byte*       digest, 
+            word32      verify);
+
+int     tsip_Sha1Hmac(
+            const struct WOLFSSL *ssl,
+            const byte* myInner, 
+            word32      innerSz,
+            const byte* in,
+            word32      sz, 
+            byte*       digest, 
+            word32      verify);
             
 #if (!defined(NO_SHA) || !defined(NO_SHA256)) && \
     !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)
@@ -128,10 +199,10 @@ typedef wolfssl_TSIP_Hash wc_Sha;
 #endif /* NO_SHA */
 
 #if defined(WOLFSSL_RENESAS_TSIP_TLS_AES_CRYPT)
-typedef struct {
+    typedef struct {
-    tsip_aes_key_index_t tsip_keyIdx;
+        tsip_aes_key_index_t tsip_keyIdx;
-    word32               keySize;
+        word32               keySize;
-} TSIP_AES_CTX;
+    } TSIP_AES_CTX;
     
     struct Aes;
     int wc_tsip_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in,

source/libwolfssl/wolfcrypt/port/atmel/atmel.h

@@ -27,14 +27,15 @@
 #include <libwolfssl/wolfcrypt/settings.h>
 #include <libwolfssl/wolfcrypt/error-crypt.h>
 
-#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC_PKCB)
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
+    defined(WOLFSSL_ATECC_PKCB)
     #undef  SHA_BLOCK_SIZE
     #define SHA_BLOCK_SIZE  SHA_BLOCK_SIZE_REMAP
     #include <cryptoauthlib.h>
     #undef SHA_BLOCK_SIZE
 #endif
 
-/* ATECC508A only supports ECC P-256 */
+/* ATECC508A/608A only supports ECC P-256 */
 #define ATECC_KEY_SIZE      (32)
 #define ATECC_PUBKEY_SIZE   (ATECC_KEY_SIZE*2) /* X and Y */
 #define ATECC_SIG_SIZE      (ATECC_KEY_SIZE*2) /* R and S */
@@ -53,11 +54,19 @@
 #endif
 /* Symmetric encryption key */
 #ifndef ATECC_SLOT_I2C_ENC
-#define ATECC_SLOT_I2C_ENC        (0x04)
+    #ifdef WOLFSSL_ATECC_TNGTLS
+        #define ATECC_SLOT_I2C_ENC        (0x06)
+    #else
+        #define ATECC_SLOT_I2C_ENC        (0x04)
+    #endif
 #endif
 /* Parent encryption key */
 #ifndef ATECC_SLOT_ENC_PARENT
-#define ATECC_SLOT_ENC_PARENT     (0x7)
+    #ifdef WOLFSSL_ATECC_TNGTLS
+        #define ATECC_SLOT_ENC_PARENT     (0x6)
+    #else
+        #define ATECC_SLOT_ENC_PARENT     (0x7)
+    #endif
 #endif
 
 /* ATECC_KEY_SIZE required for ecc.h */
@@ -78,7 +87,7 @@ int  atmel_get_random_number(uint32_t count, uint8_t* rand_out);
 #endif
 long atmel_get_curr_time_and_date(long* tm);
 
-#ifdef WOLFSSL_ATECC508A
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
 
 enum atmelSlotType {
     ATMEL_SLOT_ANY,
@@ -100,6 +109,8 @@ int  atmel_ecc_translate_err(int status);
 int  atmel_get_rev_info(word32* revision);
 void atmel_show_rev_info(void);
 
+WOLFSSL_API int wolfCrypt_ATECC_SetConfig(ATCAIfaceCfg* cfg);
+
 /* The macro ATECC_GET_ENC_KEY can be set to override the default
    encryption key with your own at build-time */
 #ifndef ATECC_GET_ENC_KEY

source/libwolfssl/wolfcrypt/port/cypress/psoc6_crypto.h

@@ -0,0 +1,74 @@
+/* psoc6_crypto.h
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef _PSOC6_CRYPTO_PORT_H_
+#define _PSOC6_CRYPTO_PORT_H_
+
+#include <libwolfssl/wolfcrypt/settings.h>
+#ifdef USE_FAST_MATH
+    #include <libwolfssl/wolfcrypt/tfm.h>
+#elif defined WOLFSSL_SP_MATH
+    #include <libwolfssl/wolfcrypt/sp_int.h>
+#else
+    #include <libwolfssl/wolfcrypt/integer.h>
+#endif
+#include "cy_crypto_core_sha.h"
+#include "cy_device_headers.h"
+#include "psoc6_02_config.h"
+#include "cy_crypto_common.h"
+#include "cy_crypto_core.h"
+
+#ifdef WOLFSSL_SHA512
+typedef struct wc_Sha512 {
+    cy_stc_crypto_sha_state_t hash_state;
+    cy_en_crypto_sha_mode_t sha_mode;
+    cy_stc_crypto_v2_sha512_buffers_t sha_buffers;
+} wc_Sha512;
+
+#define WC_SHA512_TYPE_DEFINED
+#include <libwolfssl/wolfcrypt/sha512.h>
+#endif
+
+#ifndef NO_SHA256
+
+typedef struct wc_Sha256 {
+    cy_stc_crypto_sha_state_t hash_state;
+    cy_en_crypto_sha_mode_t sha_mode;
+    cy_stc_crypto_v2_sha256_buffers_t sha_buffers;
+} wc_Sha256;
+
+#include <libwolfssl/wolfcrypt/sha.h>
+#include <libwolfssl/wolfcrypt/sha256.h>
+#endif /* !def NO_SHA256 */
+
+
+#ifdef HAVE_ECC
+#include <libwolfssl/wolfcrypt/ecc.h>
+int psoc6_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
+                    word32 hashlen, int* verif_res, ecc_key* key);
+#endif /* HAVE_ECC */
+
+#define PSOC6_CRYPTO_BASE ((CRYPTO_Type*) CRYPTO_BASE)
+
+/* Crypto HW engine initialization */
+int psoc6_crypto_port_init(void);
+
+#endif /* _PSOC6_CRYPTO_PORT_H_ */

source/libwolfssl/wolfcrypt/port/nxp/ksdk_port.h

@@ -65,8 +65,8 @@ int ksdk_port_init(void);
 	int wc_ecc_point_add(ecc_point *mG, ecc_point *mQ, ecc_point *mR, mp_int *m);
 
 	#ifdef HAVE_CURVE25519
-		int wc_curve25519(ECPoint *q, byte *n, const ECPoint *p, fsl_ltc_ecc_coordinate_system_t type);
+		int nxp_ltc_curve25519(ECPoint *q, const byte *n, const ECPoint *p, fsl_ltc_ecc_coordinate_system_t type);
-		const ECPoint *wc_curve25519_GetBasePoint(void);
+		const ECPoint *nxp_ltc_curve25519_GetBasePoint(void);
 		status_t LTC_PKHA_Curve25519ToWeierstrass(const ltc_pkha_ecc_point_t *ltcPointIn, ltc_pkha_ecc_point_t *ltcPointOut);
 		status_t LTC_PKHA_WeierstrassToCurve25519(const ltc_pkha_ecc_point_t *ltcPointIn, ltc_pkha_ecc_point_t *ltcPointOut);
 		status_t LTC_PKHA_Curve25519ComputeY(ltc_pkha_ecc_point_t *ltcPoint);

source/libwolfssl/wolfcrypt/port/st/stm32.h

@@ -28,11 +28,6 @@
 #include <libwolfssl/wolfcrypt/settings.h>
 #include <libwolfssl/wolfcrypt/types.h>
 
-#if defined(WOLFSSL_STM32_PKA) && defined(HAVE_ECC)
-    #include <libwolfssl/wolfcrypt/integer.h>
-    #include <libwolfssl/wolfcrypt/ecc.h>
-#endif
-
 #ifdef STM32_HASH
 
 #define WOLFSSL_NO_HASH_RAW
@@ -54,6 +49,9 @@
 #if !defined(HASH_DATATYPE_8B) && defined(HASH_DataType_8b)
     #define HASH_DATATYPE_8B HASH_DataType_8b
 #endif
+#ifndef HASH_STR_NBW
+	#define HASH_STR_NBW HASH_STR_NBLW
+#endif
 
 #ifndef STM32_HASH_TIMEOUT
     #define STM32_HASH_TIMEOUT 0xFFFF
@@ -93,19 +91,30 @@ int  wc_Stm32_Hash_Final(STM32_HASH_Context* stmCtx, word32 algo,
 
 #ifndef NO_AES
     #if !defined(STM32_CRYPTO_AES_GCM) && (defined(WOLFSSL_STM32F4) || \
-            defined(WOLFSSL_STM32F7) || defined(WOLFSSL_STM32L4))
+            defined(WOLFSSL_STM32F7) || defined(WOLFSSL_STM32L4) || \
+			defined(WOLFSSL_STM32L5) || defined(WOLFSSL_STM32H7))
         /* Hardware supports AES GCM acceleration */
         #define STM32_CRYPTO_AES_GCM
     #endif
 
-    #ifdef WOLFSSL_STM32L4
+    #if defined(WOLFSSL_STM32WB)
         #define STM32_CRYPTO_AES_ONLY /* crypto engine only supports AES */
+        #define CRYP AES1
+        #define STM32_HAL_V2
+    #endif
+    #if defined(WOLFSSL_STM32L4) || defined(WOLFSSL_STM32L5)
+		#ifdef WOLFSSL_STM32L4
+        	#define STM32_CRYPTO_AES_ONLY /* crypto engine only supports AES */
+		#endif
         #define CRYP AES
+		#ifndef CRYP_AES_GCM
+			#define CRYP_AES_GCM CRYP_AES_GCM_GMAC
+		#endif
     #endif
 
     /* Detect newer CubeMX crypto HAL (HAL_CRYP_Encrypt / HAL_CRYP_Decrypt) */
-    #if !defined(STM32_HAL_V2) && \
+    #if !defined(STM32_HAL_V2) && defined(CRYP_AES_GCM) && \
-        defined(WOLFSSL_STM32F7) && defined(CRYP_AES_GCM)
+        (defined(WOLFSSL_STM32F7) || defined(WOLFSSL_STM32L5) || defined(WOLFSSL_STM32H7))
         #define STM32_HAL_V2
     #endif
 
@@ -122,7 +131,7 @@ int  wc_Stm32_Hash_Final(STM32_HASH_Context* stmCtx, word32 algo,
     struct Aes;
     #ifdef WOLFSSL_STM32_CUBEMX
         int wc_Stm32_Aes_Init(struct Aes* aes, CRYP_HandleTypeDef* hcryp);
-    #else /* STD_PERI_LIB */
+    #else /* Standard Peripheral Library */
         int wc_Stm32_Aes_Init(struct Aes* aes, CRYP_InitTypeDef* cryptInit,
             CRYP_KeyInitTypeDef* keyInit);
     #endif /* WOLFSSL_STM32_CUBEMX */
@@ -131,12 +140,25 @@ int  wc_Stm32_Hash_Final(STM32_HASH_Context* stmCtx, word32 algo,
 #endif /* STM32_CRYPTO */
 
 #if defined(WOLFSSL_STM32_PKA) && defined(HAVE_ECC)
-int stm32_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
+#ifdef WOLFSSL_SP_MATH
-                    word32 hashlen, int* res, ecc_key* key);
+    struct sp_int;
-
+    #define MATH_INT_T struct sp_int
-int stm32_ecc_sign_hash_ex(const byte* hash, word32 hashlen, WC_RNG* rng,
+#elif defined(USE_FAST_MATH)
-                     ecc_key* key, mp_int *r, mp_int *s);
+    struct fp_int;
+    #define MATH_INT_T struct fp_int
+#else
+    struct mp_int;
+	#define MATH_INT_T struct mp_int
 #endif
+struct ecc_key;
+struct WC_RNG;
+
+int stm32_ecc_verify_hash_ex(MATH_INT_T *r, MATH_INT_T *s, const byte* hash,
+                    word32 hashlen, int* res, struct ecc_key* key);
+
+int stm32_ecc_sign_hash_ex(const byte* hash, word32 hashlen, struct WC_RNG* rng,
+                     struct ecc_key* key, MATH_INT_T *r, MATH_INT_T *s);
+#endif /* WOLFSSL_STM32_PKA && HAVE_ECC */
 
 
 #endif /* _WOLFPORT_STM32_H_ */

source/libwolfssl/wolfcrypt/random.h

@@ -219,7 +219,7 @@ WOLFSSL_API int  wc_FreeRng(WC_RNG*);
 #define wc_InitRng_ex(rng, h, d) NOT_COMPILED_IN
 #define wc_InitRngNonce(rng, n, s) NOT_COMPILED_IN
 #define wc_InitRngNonce_ex(rng, n, s, h, d) NOT_COMPILED_IN
-#define wc_RNG_GenerateBlock(rng, b, s) NOT_COMPILED_IN
+#define wc_RNG_GenerateBlock(rng, b, s) ({(void)rng; (void)b; (void)s; NOT_COMPILED_IN;})
 #define wc_RNG_GenerateByte(rng, b) NOT_COMPILED_IN
 #define wc_FreeRng(rng) (void)NOT_COMPILED_IN
 #endif

source/libwolfssl/wolfcrypt/rsa.h

@@ -23,7 +23,13 @@
     \file wolfssl/wolfcrypt/rsa.h
 */
 
+/*
 
+DESCRIPTION
+This library provides the interface to the RSA.
+RSA keys can be used to encrypt, decrypt, sign and verify data.
+
+*/
 #ifndef WOLF_CRYPT_RSA_H
 #define WOLF_CRYPT_RSA_H
 
@@ -280,8 +286,9 @@ WOLFSSL_API int  wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx,
                                                                RsaKey*, word32);
 WOLFSSL_API int  wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz,
                                         const byte* e, word32 eSz, RsaKey* key);
-WOLFSSL_API int wc_RsaKeyToDer(RsaKey*, byte* output, word32 inLen);
+#ifdef WOLFSSL_KEY_GEN
-
+    WOLFSSL_API int wc_RsaKeyToDer(RsaKey*, byte* output, word32 inLen);
+#endif
 
 #ifdef WC_RSA_BLINDING
     WOLFSSL_API int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng);

source/libwolfssl/wolfcrypt/settings.h

@@ -62,6 +62,9 @@
 /* Uncomment next line if using Microchip TCP/IP stack, version 6 or later */
 /* #define MICROCHIP_TCPIP */
 
+/* Uncomment next line if using above Microchip TCP/IP defines with BSD API */
+/* #define MICROCHIP_TCPIP_BSD_API */
+
 /* Uncomment next line if using PIC32MZ Crypto Engine */
 /* #define WOLFSSL_MICROCHIP_PIC32MZ */
 
@@ -209,10 +212,16 @@
 /* Uncomment next line if using RENESAS RX64N */
 /* #define WOLFSSL_RENESAS_RX65N */
 
+/* Uncomment next line if using Solaris OS*/
+/* #define WOLFSSL_SOLARIS */
+
 #include <libwolfssl/wolfcrypt/visibility.h>
 
 #ifdef WOLFSSL_USER_SETTINGS
     #include "user_settings.h"
+#elif defined(USE_HAL_DRIVER) && !defined(HAVE_CONFIG_H)
+    /* STM Configuration File (generated by CubeMX) */
+    #include "wolfSSL.wolfSSL_conf.h"
 #endif
 
 
@@ -292,7 +301,7 @@
     #endif
 #endif
 
-#if defined(WOLFSSL_RENESAS_RA6M3G)
+#if defined(WOLFSSL_RENESAS_RA6M3G) || defined(WOLFSSL_RENESAS_RA6M3)
     /* settings in user_settings.h */
 #endif
 
@@ -337,7 +346,9 @@
     /* #define WOLFSSL_MICROCHIP_PIC32MZ */
     #define SIZEOF_LONG_LONG 8
     #define SINGLE_THREADED
-    #define WOLFSSL_USER_IO
+    #ifndef MICROCHIP_TCPIP_BSD_API
+        #define WOLFSSL_USER_IO
+    #endif
     #define NO_WRITEV
     #define NO_DEV_RANDOM
     #define NO_FILESYSTEM
@@ -375,6 +386,16 @@
     #endif
 #endif
 
+#ifdef WOLFSSL_ATECC508A
+    /* backwards compatibility */
+#ifndef WOLFSSL_ATECC_NO_ECDH_ENC
+    #define WOLFSSL_ATECC_ECDH_ENC
+#endif
+    #ifdef WOLFSSL_ATECC508A_DEBUG
+        #define WOLFSSL_ATECC_DEBUG
+    #endif
+#endif
+
 #ifdef MBED
     #define WOLFSSL_USER_IO
     #define NO_FILESYSTEM
@@ -601,7 +622,6 @@
 #ifdef WOLFSSL_NRF5x
         #define SIZEOF_LONG 4
         #define SIZEOF_LONG_LONG 8
-        #define NO_ASN_TIME
         #define NO_DEV_RANDOM
         #define NO_FILESYSTEM
         #define NO_MAIN_DRIVER
@@ -609,7 +629,6 @@
         #define SINGLE_THREADED
         #define USE_FAST_MATH
         #define TFM_TIMING_RESISTANT
-        #define USE_WOLFSSL_MEMORY
         #define WOLFSSL_NRF51
         #define WOLFSSL_USER_IO
         #define NO_SESSION_CACHE
@@ -703,7 +722,7 @@ extern void uITRON4_free(void *p) ;
         https://github.com/wolfSSL/wolfssl-freertos/pull/3/files */
     #if !defined(USE_FAST_MATH) || defined(HAVE_ED25519) || defined(HAVE_ED448)
         #if defined(WOLFSSL_ESPIDF)
-            /*In IDF, realloc(p, n) is equivalent to 
+            /*In IDF, realloc(p, n) is equivalent to
             heap_caps_realloc(p, s, MALLOC_CAP_8BIT) */
             #define XREALLOC(p, n, h, t) realloc((p), (n))
         #else
@@ -900,6 +919,19 @@ extern void uITRON4_free(void *p) ;
     #define TFM_TIMING_RESISTANT
 #endif
 
+/* To support storing some of the large constant tables in flash memory rather than SRAM.
+   Useful for processors that have limited SRAM, such as the AVR family of microtrollers. */
+#ifdef WOLFSSL_USE_FLASHMEM
+    /* This is supported on the avr-gcc compiler, for more information see:
+         https://gcc.gnu.org/onlinedocs/gcc/Named-Address-Spaces.html */
+    #define FLASH_QUALIFIER __flash
+
+    /* Copy data out of flash memory and into SRAM */
+    #define XMEMCPY_P(pdest, psrc, size) memcpy_P((pdest), (psrc), (size))
+#else
+    #define FLASH_QUALIFIER
+#endif
+
 #ifdef FREESCALE_MQX_5_0
     /* use normal Freescale MQX port, but with minor changes for 5.0 */
     #define FREESCALE_MQX
@@ -1187,7 +1219,8 @@ extern void uITRON4_free(void *p) ;
 
 #if defined(WOLFSSL_STM32F2) || defined(WOLFSSL_STM32F4) || \
     defined(WOLFSSL_STM32F7) || defined(WOLFSSL_STM32F1) || \
-    defined(WOLFSSL_STM32L4)
+    defined(WOLFSSL_STM32L4) || defined(WOLFSSL_STM32L5) || \
+    defined(WOLFSSL_STM32WB) || defined(WOLFSSL_STM32H7)
 
     #define SIZEOF_LONG_LONG 8
     #ifndef CHAR_BIT
@@ -1208,7 +1241,8 @@ extern void uITRON4_free(void *p) ;
         #undef  STM32_CRYPTO
         #define STM32_CRYPTO
 
-        #ifdef WOLFSSL_STM32L4
+        #if defined(WOLFSSL_STM32L4) || defined(WOLFSSL_STM32L5) || \
+            defined(WOLFSSL_STM32WB)
             #define NO_AES_192 /* hardware does not support 192-bit */
         #endif
     #endif
@@ -1221,8 +1255,12 @@ extern void uITRON4_free(void *p) ;
     #endif
     #define NO_OLD_RNGNAME
     #ifdef WOLFSSL_STM32_CUBEMX
-        #if defined(WOLFSSL_STM32F2)
+		#if defined(WOLFSSL_STM32F1)
+			#include "stm32f1xx_hal.h"
+        #elif defined(WOLFSSL_STM32F2)
             #include "stm32f2xx_hal.h"
+		#elif defined(WOLFSSL_STM32L5)
+            #include "stm32l5xx_hal.h"
         #elif defined(WOLFSSL_STM32L4)
             #include "stm32l4xx_hal.h"
         #elif defined(WOLFSSL_STM32F4)
@@ -1231,6 +1269,10 @@ extern void uITRON4_free(void *p) ;
             #include "stm32f7xx_hal.h"
         #elif defined(WOLFSSL_STM32F1)
             #include "stm32f1xx_hal.h"
+        #elif defined(WOLFSSL_STM32H7)
+            #include "stm32h7xx_hal.h"
+        #elif defined(WOLFSSL_STM32WB)
+            #include "stm32wbxx_hal.h"
         #endif
         #if defined(WOLFSSL_CUBEMX_USE_LL) && defined(WOLFSSL_STM32L4)
             #include "stm32l4xx_ll_rng.h"
@@ -1256,7 +1298,15 @@ extern void uITRON4_free(void *p) ;
             #ifdef STM32_HASH
                 #include "stm32f4xx_hash.h"
             #endif
-        #elif defined(WOLFSSL_STM32L4)
+		#elif defined(WOLFSSL_STM32L5)
+            #include "stm32l5xx.h"
+            #ifdef STM32_CRYPTO
+                #include "stm32l5xx_cryp.h"
+            #endif
+            #ifdef STM32_HASH
+                #include "stm32l5xx_hash.h"
+            #endif
+    	#elif defined(WOLFSSL_STM32L4)
             #include "stm32l4xx.h"
             #ifdef STM32_CRYPTO
                 #include "stm32l4xx_cryp.h"
@@ -1266,11 +1316,14 @@ extern void uITRON4_free(void *p) ;
             #endif
         #elif defined(WOLFSSL_STM32F7)
             #include "stm32f7xx.h"
+        #elif defined(WOLFSSL_STM32H7)
+            #include "stm32h7xx.h"
         #elif defined(WOLFSSL_STM32F1)
             #include "stm32f1xx.h"
         #endif
     #endif /* WOLFSSL_STM32_CUBEMX */
-#endif /* WOLFSSL_STM32F2 || WOLFSSL_STM32F4 || WOLFSSL_STM32L4 || WOLFSSL_STM32F7 */
+#endif /* WOLFSSL_STM32F2 || WOLFSSL_STM32F4 || WOLFSSL_STM32L4 || 
+		  WOLFSSL_STM32L5 || WOLFSSL_STM32F7 || WOLFSSL_STMWB || WOLFSSL_STM32H7 */
 #ifdef WOLFSSL_DEOS
     #include <deos.h>
     #include <timeout.h>
@@ -1400,6 +1453,22 @@ extern void uITRON4_free(void *p) ;
     #endif
 #endif /* MICRIUM */
 
+#if defined(sun) || defined(__sun)
+# if defined(__SVR4) || defined(__svr4__)
+    /* Solaris */
+    #ifndef WOLFSSL_SOLARIS
+        #define WOLFSSL_SOLARIS
+    #endif
+# else
+    /* SunOS */
+# endif
+#endif
+
+#ifdef WOLFSSL_SOLARIS
+    /* Avoid naming clash with fp_zero from math.h > ieefp.h */
+    #define WOLFSSL_DH_CONST
+#endif
+
 #ifdef WOLFSSL_MCF5441X
     #define BIG_ENDIAN_ORDER
     #ifndef SIZEOF_LONG
@@ -2196,6 +2265,21 @@ extern void uITRON4_free(void *p) ;
     #define WOLFSSL_NO_CONSTCHARCONST
 #endif
 
+/* FIPS v1 does not support TLS v1.3 (requires RSA PSS and HKDF) */
+#if defined(HAVE_FIPS) && !defined(HAVE_FIPS_VERSION)
+    #undef WC_RSA_PSS
+    #undef WOLFSSL_TLS13
+#endif
+
+/* For FIPSv2 make sure the ECDSA encoding allows extra bytes
+ * but make sure users consider enabling it */
+#if !defined(NO_STRICT_ECDSA_LEN) && defined(HAVE_FIPS) && \
+        defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    /* ECDSA length checks off by default for CAVP testing
+     * consider enabling strict checks in production */
+    #define NO_STRICT_ECDSA_LEN
+#endif
+
 
 #ifdef __cplusplus
     }   /* extern "C" */

source/libwolfssl/wolfcrypt/sha.h

@@ -101,6 +101,8 @@ enum {
 #elif defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \
    !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)
     #include "wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h"
+#elif defined(WOLFSSL_PSOC6_CRYPTO)
+    #include "wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h"
 #else
 
 /* Sha digest */

source/libwolfssl/wolfcrypt/sha256.h

@@ -126,6 +126,8 @@ enum {
 #elif defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \
    !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)
     #include "wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h"
+#elif defined(WOLFSSL_PSOC6_CRYPTO)
+    #include "wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h"
 #else
 
 /* wc_Sha256 digest */
@@ -142,6 +144,7 @@ struct wc_Sha256 {
     word32  loLen;     /* length in bytes   */
     word32  hiLen;     /* length in bytes   */
     void*   heap;
+#endif
 #ifdef WOLFSSL_PIC32MZ_HASH
     hashUpdCache cache; /* cache for updates */
 #endif
@@ -150,7 +153,7 @@ struct wc_Sha256 {
 #endif /* WOLFSSL_ASYNC_CRYPT */
 #ifdef WOLFSSL_SMALL_STACK_CACHE
     word32* W;
-#endif
+#endif /* !FREESCALE_LTC_SHA && !STM32_HASH_SHA2 */
 #ifdef WOLFSSL_DEVCRYPTO_HASH
     WC_CRYPTODEV ctx;
     byte*  msg;
@@ -168,7 +171,6 @@ struct wc_Sha256 {
     int    devId;
     void*  devCtx; /* generic crypto callback context */
 #endif
-#endif
 #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
     word32 flags; /* enum wc_HashFlags in hash.h */
 #endif

source/libwolfssl/wolfcrypt/sha3.h

@@ -58,7 +58,8 @@ enum {
     WC_SHA3_512_DIGEST_SIZE  = 64,
     WC_SHA3_512_COUNT        =  9,
 
-#ifndef HAVE_SELFTEST
+#if !defined(HAVE_SELFTEST) || \
+    defined(HAVE_SELFTEST_VERSION) && (HAVE_SELFTEST_VERSION >= 2)
     /* These values are used for HMAC, not SHA-3 directly.
      * They come from from FIPS PUB 202. */
     WC_SHA3_224_BLOCK_SIZE = 144,

source/libwolfssl/wolfcrypt/sha512.h

@@ -31,6 +31,7 @@
 
 #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)
 
+
 #if defined(HAVE_FIPS) && \
     defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
     #include <libwolfssl/wolfcrypt/fips.h>
@@ -111,6 +112,8 @@ enum {
 
 #ifdef WOLFSSL_IMX6_CAAM
     #include "wolfssl/wolfcrypt/port/caam/wolfcaam_sha.h"
+#elif defined (WOLFSSL_PSOC6_CRYPTO)
+    #include "wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h"
 #else
 /* wc_Sha512 digest */
 struct wc_Sha512 {
@@ -153,6 +156,7 @@ WOLFSSL_LOCAL void Transform_Sha512_Len(wc_Sha512* sha512, const byte* data,
 
 #ifdef WOLFSSL_SHA512
 
+
 WOLFSSL_API int wc_InitSha512(wc_Sha512*);
 WOLFSSL_API int wc_InitSha512_ex(wc_Sha512*, void*, int);
 WOLFSSL_API int wc_Sha512Update(wc_Sha512*, const byte*, word32);

source/libwolfssl/wolfcrypt/sp.h

@@ -37,7 +37,9 @@
 
 #if defined(_MSC_VER)
     #define SP_NOINLINE __declspec(noinline)
-#elif defined(__IAR_SYSTEMS_ICC__) || defined(__GNUC__) || defined(__KEIL__)
+#elif defined(__ICCARM__) || defined(__IAR_SYSTEMS_ICC__)
+    #define SP_NOINLINE _Pragma("inline = never")
+#elif defined(__GNUC__) || defined(__KEIL__)
     #define SP_NOINLINE __attribute__((noinline))
 #else
     #define SP_NOINLINE
@@ -141,7 +143,18 @@ int sp_ecc_proj_dbl_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
 int sp_ecc_map_384(mp_int* pX, mp_int* pY, mp_int* pZ);
 int sp_ecc_uncompress_384(mp_int* xm, int odd, mp_int* ym);
 
-#endif /*ifdef WOLFSSL_HAVE_SP_ECC */
+#ifdef WOLFSSL_SP_NONBLOCK
+int sp_ecc_sign_256_nb(sp_ecc_ctx_t* ctx, const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap);
+int sp_ecc_verify_256_nb(sp_ecc_ctx_t* ctx, const byte* hash, word32 hashLen, mp_int* pX, mp_int* pY,
+                      mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap);
+int sp_ecc_sign_384_nb(sp_ecc_ctx_t* ctx, const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap);
+int sp_ecc_verify_384_nb(sp_ecc_ctx_t* ctx, const byte* hash, word32 hashLen, mp_int* pX, mp_int* pY,
+                      mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap);
+#endif /* WOLFSSL_SP_NONBLOCK */
+
+#endif /* WOLFSSL_HAVE_SP_ECC */
 
 
 #ifdef __cplusplus

source/libwolfssl/wolfcrypt/sp_int.h

@@ -19,7 +19,11 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/*
+DESCRIPTION
+This library provides single precision (SP) integer math functions.
 
+*/
 #ifndef WOLF_CRYPT_SP_INT_H
 #define WOLF_CRYPT_SP_INT_H
 
@@ -60,6 +64,7 @@
     typedef int32 sp_digit;
     typedef uint32 sp_int_digit;
     typedef uint64 sp_int_word;
+    typedef int64 sp_int_sword;
     #undef SP_WORD_SIZE
     #define SP_WORD_SIZE 32
 #elif !defined(WOLFSSL_SP_ASM)
@@ -67,6 +72,7 @@
     typedef int32_t sp_digit;
     typedef uint32_t sp_int_digit;
     typedef uint64_t sp_int_word;
+    typedef int64_t sp_int_sword;
   #elif SP_WORD_SIZE == 64
     typedef int64_t sp_digit;
     typedef uint64_t sp_int_digit;
@@ -78,6 +84,7 @@
       typedef long int128_t __attribute__ ((mode(TI)));
     #endif
     typedef uint128_t sp_int_word;
+    typedef int128_t sp_int_sword;
   #else
     #error Word size not defined
   #endif
@@ -86,6 +93,7 @@
     typedef uint32_t sp_digit;
     typedef uint32_t sp_int_digit;
     typedef uint64_t sp_int_word;
+    typedef int64_t sp_int_sword;
   #elif SP_WORD_SIZE == 64
     typedef uint64_t sp_digit;
     typedef uint64_t sp_int_digit;
@@ -97,6 +105,7 @@
       typedef long int128_t __attribute__ ((mode(TI)));
     #endif
     typedef uint128_t sp_int_word;
+    typedef int128_t sp_int_sword;
   #else
     #error Word size not defined
   #endif
@@ -104,6 +113,17 @@
 
 #define SP_MASK    (sp_digit)(-1)
 
+
+#if defined(WOLFSSL_HAVE_SP_ECC) && defined(WOLFSSL_SP_NONBLOCK)
+typedef struct sp_ecc_ctx {
+    #ifdef WOLFSSL_SP_384
+    byte data[48*80]; /* stack data */
+    #else
+    byte data[32*80]; /* stack data */
+    #endif
+} sp_ecc_ctx_t;
+#endif
+
 #ifdef WOLFSSL_SP_MATH
 #include <libwolfssl/wolfcrypt/random.h>
 
@@ -169,9 +189,10 @@ typedef sp_int_digit mp_digit;
 MP_API int sp_init(sp_int* a);
 MP_API int sp_init_multi(sp_int* a, sp_int* b, sp_int* c, sp_int* d,
                          sp_int* e, sp_int* f);
+MP_API void sp_free(sp_int* a);
 MP_API void sp_clear(sp_int* a);
 MP_API int sp_unsigned_bin_size(sp_int* a);
-MP_API int sp_read_unsigned_bin(sp_int* a, const byte* in, int inSz);
+MP_API int sp_read_unsigned_bin(sp_int* a, const byte* in, word32 inSz);
 MP_API int sp_read_radix(sp_int* a, const char* in, int radix);
 MP_API int sp_cmp(sp_int* a, sp_int* b);
 MP_API int sp_count_bits(sp_int* a);
@@ -211,7 +232,6 @@ MP_API void sp_rshb(sp_int* a, int n, sp_int* r);
 MP_API int sp_mul_d(sp_int* a, sp_int_digit n, sp_int* r);
 
 
-#define MP_OKAY    0
 #define MP_NO      0
 #define MP_YES     1
 
@@ -221,15 +241,17 @@ MP_API int sp_mul_d(sp_int* a, sp_int_digit n, sp_int* r);
 #define MP_EQ    0
 #define MP_LT    -1
 
+#define MP_OKAY   0
 #define MP_MEM   -2
 #define MP_VAL   -3
+#define FP_WOULDBLOCK -4
 
 #define DIGIT_BIT  SP_WORD_SIZE
 #define MP_MASK    SP_MASK
 
 #define CheckFastMathSettings() 1
 
-#define mp_free(a)
+#define mp_free                     sp_free
 
 #define mp_isodd                    sp_isodd
 #define mp_iseven                   sp_iseven

source/libwolfssl/wolfcrypt/tfm.h

@@ -432,7 +432,7 @@ MP_API void fp_free(fp_int* a);
 
 /* set to a small digit */
 void fp_set(fp_int *a, fp_digit b);
-void fp_set_int(fp_int *a, unsigned long b);
+int  fp_set_int(fp_int *a, unsigned long b);
 
 /* check if a bit is set */
 int fp_is_bit_set(fp_int *a, fp_digit b);
@@ -459,7 +459,7 @@ void fp_rshd(fp_int *a, int x);
 void fp_rshb(fp_int *a, int x);
 
 /* left shift x digits */
-void fp_lshd(fp_int *a, int x);
+int fp_lshd(fp_int *a, int x);
 
 /* signed comparison */
 int fp_cmp(fp_int *a, fp_int *b);
@@ -470,19 +470,22 @@ int fp_cmp_mag(fp_int *a, fp_int *b);
 /* power of 2 operations */
 void fp_div_2d(fp_int *a, int b, fp_int *c, fp_int *d);
 void fp_mod_2d(fp_int *a, int b, fp_int *c);
-void fp_mul_2d(fp_int *a, int b, fp_int *c);
+int  fp_mul_2d(fp_int *a, int b, fp_int *c);
 void fp_2expt (fp_int *a, int b);
-void fp_mul_2(fp_int *a, fp_int *c);
+int  fp_mul_2(fp_int *a, fp_int *c);
 void fp_div_2(fp_int *a, fp_int *c);
+/* c = a / 2 (mod b) - constant time (a < b and positive) */
+int fp_div_2_mod_ct(fp_int *a, fp_int *b, fp_int *c);
+
 
 /* Counts the number of lsbs which are zero before the first zero bit */
 int fp_cnt_lsb(fp_int *a);
 
 /* c = a + b */
-void fp_add(fp_int *a, fp_int *b, fp_int *c);
+int fp_add(fp_int *a, fp_int *b, fp_int *c);
 
 /* c = a - b */
-void fp_sub(fp_int *a, fp_int *b, fp_int *c);
+int fp_sub(fp_int *a, fp_int *b, fp_int *c);
 
 /* c = a * b */
 int fp_mul(fp_int *a, fp_int *b, fp_int *c);
@@ -500,13 +503,13 @@ int fp_mod(fp_int *a, fp_int *b, fp_int *c);
 int fp_cmp_d(fp_int *a, fp_digit b);
 
 /* c = a + b */
-void fp_add_d(fp_int *a, fp_digit b, fp_int *c);
+int fp_add_d(fp_int *a, fp_digit b, fp_int *c);
 
 /* c = a - b */
 int fp_sub_d(fp_int *a, fp_digit b, fp_int *c);
 
 /* c = a * b */
-void fp_mul_d(fp_int *a, fp_digit b, fp_int *c);
+int fp_mul_d(fp_int *a, fp_digit b, fp_int *c);
 
 /* a/b => cb + d == a */
 /*int fp_div_d(fp_int *a, fp_digit b, fp_int *c, fp_digit *d);*/
@@ -530,6 +533,12 @@ int fp_submod(fp_int *a, fp_int *b, fp_int *c, fp_int *d);
 /* d = a + b (mod c) */
 int fp_addmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d);
 
+/* d = a - b (mod c) - constant time (a < c and b < c) */
+int fp_submod_ct(fp_int *a, fp_int *b, fp_int *c, fp_int *d);
+
+/* d = a + b (mod c) - constant time (a < c and b < c) */
+int fp_addmod_ct(fp_int *a, fp_int *b, fp_int *c, fp_int *d);
+
 /* c = a * a (mod b) */
 int fp_sqrmod(fp_int *a, fp_int *b, fp_int *c);
 
@@ -549,10 +558,11 @@ int fp_montgomery_setup(fp_int *a, fp_digit *mp);
 /* computes a = B**n mod b without division or multiplication useful for
  * normalizing numbers in a Montgomery system.
  */
-void fp_montgomery_calc_normalization(fp_int *a, fp_int *b);
+int fp_montgomery_calc_normalization(fp_int *a, fp_int *b);
 
 /* computes x/R == x (mod N) via Montgomery Reduction */
 int fp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp);
+int fp_montgomery_reduce_ex(fp_int *a, fp_int *m, fp_digit mp, int ct);
 
 /* d = a**b (mod c) */
 int fp_exptmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d);
@@ -637,7 +647,7 @@ int fp_count_bits(fp_int *a);
 int fp_leading_bit(fp_int *a);
 
 int fp_unsigned_bin_size(fp_int *a);
-void fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c);
+int fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c);
 int fp_to_unsigned_bin(fp_int *a, unsigned char *b);
 int fp_to_unsigned_bin_len(fp_int *a, unsigned char *b, int c);
 int fp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b);
@@ -652,7 +662,7 @@ int fp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b);
 
 
 /* VARIOUS LOW LEVEL STUFFS */
-void s_fp_add(fp_int *a, fp_int *b, fp_int *c);
+int  s_fp_add(fp_int *a, fp_int *b, fp_int *c);
 void s_fp_sub(fp_int *a, fp_int *b, fp_int *c);
 void fp_reverse(unsigned char *s, int len);
 
@@ -728,6 +738,7 @@ int  fp_sqr_comba64(fp_int *a, fp_int *b);
 #define mp_tohex(M, S)     mp_toradix((M), (S), MP_RADIX_HEX)
 
 MP_API int  mp_init (mp_int * a);
+MP_API int  mp_init_copy(fp_int * a, fp_int * b);
 MP_API void mp_clear (mp_int * a);
 MP_API void mp_free (mp_int * a);
 MP_API void mp_forcezero (mp_int * a);
@@ -743,6 +754,8 @@ MP_API int  mp_mul_d (mp_int * a, mp_digit b, mp_int * c);
 MP_API int  mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d);
 MP_API int  mp_submod (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_addmod (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
+MP_API int  mp_submod_ct (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
+MP_API int  mp_addmod_ct (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_mod(mp_int *a, mp_int *b, mp_int *c);
 MP_API int  mp_invmod(mp_int *a, mp_int *b, mp_int *c);
 MP_API int  mp_invmod_mont_ct(mp_int *a, mp_int *b, mp_int *c, fp_digit mp);
@@ -791,9 +804,11 @@ MP_API int mp_radix_size (mp_int * a, int radix, int *size);
 #ifdef HAVE_ECC
     MP_API int mp_sqr(fp_int *a, fp_int *b);
     MP_API int mp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp);
+    MP_API int mp_montgomery_reduce_ex(fp_int *a, fp_int *m, fp_digit mp,
+                                       int ct);
     MP_API int mp_montgomery_setup(fp_int *a, fp_digit *rho);
     MP_API int mp_div_2(fp_int * a, fp_int * b);
-    MP_API int mp_init_copy(fp_int * a, fp_int * b);
+    MP_API int mp_div_2_mod_ct(mp_int *a, mp_int *b, mp_int *c);
 #endif
 
 #if defined(HAVE_ECC) || !defined(NO_RSA) || !defined(NO_DSA) || \

source/libwolfssl/wolfcrypt/types.h

@@ -22,7 +22,12 @@
 /*!
     \file wolfssl/wolfcrypt/types.h
 */
+/*
+DESCRIPTION
+This library defines the primitive data types and abstraction macros to
+decouple library dependencies with standard string, memory and so on.
 
+*/
 #ifndef WOLF_CRYPT_TYPES_H
 #define WOLF_CRYPT_TYPES_H
 
@@ -342,9 +347,9 @@
         #else
         /* just use plain C stdlib stuff if desired */
         #include <stdlib.h>
-        #define XMALLOC(s, h, t)     malloc((s))
+        #define XMALLOC(s, h, t)     malloc((size_t)(s))
         #define XFREE(p, h, t)       {void* xp = (p); if((xp)) free((xp));}
-        #define XREALLOC(p, n, h, t) realloc((p), (n))
+        #define XREALLOC(p, n, h, t) realloc((p), (size_t)(n))
         #endif
     #elif !defined(MICRIUM_MALLOC) && !defined(EBSNET) \
             && !defined(WOLFSSL_SAFERTOS) && !defined(FREESCALE_MQX) \

source/libwolfssl/wolfcrypt/wc_encrypt.h

@@ -28,24 +28,33 @@
 #define WOLF_CRYPT_ENCRYPT_H
 
 #include <libwolfssl/wolfcrypt/types.h>
-#include <libwolfssl/wolfcrypt/aes.h>
+#ifndef NO_AES
-#include <libwolfssl/wolfcrypt/chacha.h>
+    #include <libwolfssl/wolfcrypt/aes.h>
-#include <libwolfssl/wolfcrypt/des3.h>
+#endif
-#include <libwolfssl/wolfcrypt/arc4.h>
+#ifdef HAVE_CHACHA
+    #include <libwolfssl/wolfcrypt/chacha.h>
+#endif
+#ifndef NO_DES3
+    #include <libwolfssl/wolfcrypt/des3.h>
+#endif
+#ifndef NO_RC4
+    #include <libwolfssl/wolfcrypt/arc4.h>
+#endif
 
 #ifdef __cplusplus
     extern "C" {
 #endif
 
-/* determine max cipher key size */
+/* determine max cipher key size - cannot use enum values here, must be define,
+ * since WC_MAX_SYM_KEY_SIZE is used in if macro logic. */
 #ifndef NO_AES
     #define WC_MAX_SYM_KEY_SIZE     (AES_MAX_KEY_SIZE/8)
 #elif defined(HAVE_CHACHA)
-    #define WC_MAX_SYM_KEY_SIZE     CHACHA_MAX_KEY_SZ
+    #define WC_MAX_SYM_KEY_SIZE     32 /* CHACHA_MAX_KEY_SZ */
 #elif !defined(NO_DES3)
-    #define WC_MAX_SYM_KEY_SIZE     DES3_KEY_SIZE
+    #define WC_MAX_SYM_KEY_SIZE     24 /* DES3_KEY_SIZE */
 #elif !defined(NO_RC4)
-    #define WC_MAX_SYM_KEY_SIZE     RC4_KEY_SIZE
+    #define WC_MAX_SYM_KEY_SIZE     16 /* RC4_KEY_SIZE */
 #else
     #define WC_MAX_SYM_KEY_SIZE     32
 #endif

source/libwolfssl/wolfcrypt/wc_pkcs11.h

@@ -6,7 +6,7 @@
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
  *
  * wolfSSL is distributed in the hope that it will be useful,

source/libwolfssl/wolfcrypt/wc_port.h

@@ -156,8 +156,10 @@
 
 #else
     #ifndef SINGLE_THREADED
-        #define WOLFSSL_PTHREADS
+        #ifndef  WOLFSSL_USER_MUTEX
-        #include <pthread.h>
+            #define WOLFSSL_PTHREADS
+            #include <pthread.h>
+        #endif
     #endif
     #if (defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS)) && \
         !defined(NO_FILESYSTEM)
@@ -238,6 +240,8 @@
         typedef struct k_mutex wolfSSL_Mutex;
     #elif defined(WOLFSSL_TELIT_M2MB)
         typedef M2MB_OS_MTX_HANDLE wolfSSL_Mutex;
+    #elif defined(WOLFSSL_USER_MUTEX)
+        /* typedef User_Mutex wolfSSL_Mutex; */
     #else
         #error Need a mutex type in multithreaded mode
     #endif /* USE_WINDOWS_API */
@@ -245,7 +249,7 @@
 
 /* Enable crypt HW mutex for Freescale MMCAU, PIC32MZ or STM32 */
 #if defined(FREESCALE_MMCAU) || defined(WOLFSSL_MICROCHIP_PIC32MZ) || \
-    defined(STM32_CRYPTO)
+    defined(STM32_CRYPTO) || defined(STM32_HASH) || defined(STM32_RNG)
     #ifndef WOLFSSL_CRYPT_HW_MUTEX
         #define WOLFSSL_CRYPT_HW_MUTEX  1
     #endif
@@ -451,6 +455,9 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
         #define MAX_PATH 256
     #endif
 
+    WOLFSSL_LOCAL int wc_FileLoad(const char* fname, unsigned char** buf, 
+        size_t* bufLen, void* heap);
+
 #if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_NUCLEUS) && \
     !defined(WOLFSSL_NUCLEUS_1_2)
     typedef struct ReadDirCtx {
@@ -553,6 +560,7 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
 
 #elif defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
     #include <time.h>
+    extern time_t pic32_time(time_t* timer);
     #define XTIME(t1)       pic32_time((t1))
     #define XGMTIME(c, t)   gmtime((c))
 
@@ -683,7 +691,7 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
 #endif
 #if !defined(XVALIDATE_DATE) && !defined(HAVE_VALIDATE_DATE)
     #define USE_WOLF_VALIDDATE
-    #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
+    #define XVALIDATE_DATE(d, f, t) wc_ValidateDate((d), (f), (t))
 #endif
 
 /* wolf struct tm and time_t */

source/libwolfssl/wolfcrypt/wolfmath.h

@@ -19,6 +19,11 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/*
+DESCRIPTION
+This library provides big integer math functions.
+
+*/
 #ifndef __WOLFMATH_H__
 #define __WOLFMATH_H__
 

source/libwolfssl/wolfio.h

@@ -126,6 +126,8 @@
         #include <errno.h>
     #elif defined(WOLFSSL_ZEPHYR)
         #include <net/socket.h>
+    #elif defined(MICROCHIP_PIC32)
+        #include <sys/errno.h>
     #elif defined(HAVE_NETX)
         #include "nx_api.h"
         #include "errno.h"
@@ -147,7 +149,6 @@
                 && !defined(WOLFSSL_CONTIKI) && !defined(WOLFSSL_WICED) \
                 && !defined(WOLFSSL_GNRC) && !defined(WOLFSSL_RIOT_OS)
             #include <network.h>
-            //#include <sys/socket.h>
             //#include <arpa/inet.h>
             //#include <netinet/in.h>
             //#include <netdb.h>
@@ -159,7 +160,7 @@
         #endif
     #endif
 
-    #if defined(WOLFSSL_RENESAS_RA6M3G) /* Uses FREERTOS_TCP */
+    #if defined(WOLFSSL_RENESAS_RA6M3G) || defined(WOLFSSL_RENESAS_RA6M3) /* Uses FREERTOS_TCP */
         #include <errno.h>
     #endif
 

source/menu/menu.cpp

@@ -25,6 +25,7 @@
 #include "music/SoundHandler.hpp"
 #include "network/gcard.h"
 #include "unzip/U8Archive.h"
+#include "network/proxysettings.h"
 
 // Sounds
 extern const u8 click_wav[];
@@ -172,6 +173,16 @@ bool CMenu::init(bool usb_mounted)
 	/* Init Network if wanted for gamercard if it isn't already inited */
 	if(has_enabled_providers())
 		_initAsyncNetwork();
+	/* Set the proxy settings */
+	proxyUseSystem = m_cfg.getBool("PROXY", "proxy_use_system", true);
+	memset(proxyAddress, 0, sizeof(proxyAddress));
+	strncpy(proxyAddress, m_cfg.getString("PROXY", "proxy_address", "").c_str(), sizeof(proxyAddress) - 1);
+	proxyPort = m_cfg.getInt("PROXY", "proxy_port", 0);
+	memset(proxyUsername, 0, sizeof(proxyUsername));
+	strncpy(proxyUsername, m_cfg.getString("PROXY", "proxy_username", "").c_str(), sizeof(proxyUsername) - 1);
+	memset(proxyPassword, 0, sizeof(proxyPassword));
+	strncpy(proxyPassword, m_cfg.getString("PROXY", "proxy_password", "").c_str(), sizeof(proxyPassword) - 1);
+	getProxyInfo();
 	
 	/* Set SD only to off if any usb device is attached and format is FAT, NTFS, WBFS, or LINUX */
 	m_cfg.getBool("GENERAL", "sd_only", true);// will only set it true if this doesn't already exist

source/menu/menu.hpp

@@ -1196,6 +1196,13 @@ public:
 	void _hideWaitMessage();
 	void GC_Messenger(int message, int info, char *cinfo);
 
+	/* proxy settings */
+	bool proxyUseSystem;
+	char proxyAddress[256];
+	u16 proxyPort;
+	char proxyUsername[34];
+	char proxyPassword[34];
+
 	/* general thread updating stuff */
 	u64 m_thrdTotal;
 	void update_pThread(u64 amount, bool add = true);

source/menu/menu_config.cpp

@@ -3,7 +3,7 @@
 #include "channel/nand.hpp"
 #include "loader/nk.h"
 
-const int CMenu::_nbCfgPages = 13;
+const int CMenu::_nbCfgPages = 14;
 
 void CMenu::_hideConfigCommon(bool instant)
 {

source/menu/menu_config7.cpp

@@ -50,15 +50,18 @@ void CMenu::_showConfig7(int curPage)
 
 	m_btnMgr.show(m_config7Lbl1);
 	m_btnMgr.show(m_config7Btn1);
-	m_btnMgr.show(m_config7Lbl2);
+	if(curPage != 14)
-	m_btnMgr.show(m_config7Btn2);
+	{
-	m_btnMgr.show(m_config7Lbl3);
+		m_btnMgr.show(m_config7Lbl2);
-	m_btnMgr.show(m_config7Btn3);
+		m_btnMgr.show(m_config7Btn2);
-	m_btnMgr.show(m_config7Lbl4);
+		m_btnMgr.show(m_config7Lbl3);
+		m_btnMgr.show(m_config7Btn3);
+		m_btnMgr.show(m_config7Lbl4);
+	}
 
 	if(curPage == 7 || curPage == 11 || curPage == 12 || curPage == 13)
 		m_btnMgr.show(m_config7Btn4);
-	else
+	else if(curPage != 14)
 	{
 		m_btnMgr.show(m_config7Lbl4Val);
 		m_btnMgr.show(m_config7Btn4M);
@@ -131,7 +134,7 @@ void CMenu::_showConfig7(int curPage)
 		m_btnMgr.setText(m_config7Lbl4, _t("cfg727", L"Use Plugin Database Titles"));
 		m_btnMgr.setText(m_config7Btn4, m_cfg.getBool(PLUGIN_DOMAIN, "database_titles", true) ?  _t("yes", L"Yes") : _t("no", L"No"));
 	}
-	else // page 13
+	else if(curPage == 13)
 	{
 		m_btnMgr.setText(m_config7Lbl1, _t("cfgg49", L"480p Pixel Patch"));
 		m_btnMgr.setText(m_config7Btn1, m_cfg.getBool(WII_DOMAIN, "fix480p", false) ? _t("on", L"On") : _t("off", L"Off"));
@@ -142,6 +145,11 @@ void CMenu::_showConfig7(int curPage)
 		m_btnMgr.setText(m_config7Lbl4, _t("cfg724", L"Lock coverflow layouts"));
 		m_btnMgr.setText(m_config7Btn4, m_cfg.getBool("general", "cf_locked") ? _t("yes", L"Yes") : _t("no", L"No"));
 	}
+	else // page 14
+	{
+		m_btnMgr.setText(m_config7Lbl1, _t("cfg729", L"Use system proxy settings"));
+		m_btnMgr.setText(m_config7Btn1, m_cfg.getBool("PROXY", "proxy_use_system") ? _t("on", L"On") : _t("off", L"Off"));
+	}
 }
 
 int CMenu::_config7(int curPage)
@@ -348,6 +356,16 @@ int CMenu::_config7(int curPage)
 					CFLocked = val;
 				}
 			}
+			if(curPage == 14)
+			{
+				if(m_btnMgr.selected(m_config7Btn1))
+				{
+					bool val = !m_cfg.getBool("PROXY", "proxy_use_system");
+					m_cfg.setBool("PROXY", "proxy_use_system", val);
+					mainMenu.proxyUseSystem = val;
+					m_btnMgr.setText(m_config7Btn1, val ? _t("on", L"On") : _t("off", L"Off"));
+				}
+			}
 		}
 	}
 	if(rand_music != m_cfg.getBool("GENERAL", "randomize_music"))

source/network/base64.h

@@ -0,0 +1,171 @@
+/*
+
+  https://github.com/superwills/NibbleAndAHalf
+  base64.h -- Fast base64 encoding and decoding.
+  version 1.0.0, April 17, 2013 143a
+
+  Copyright (C) 2013 William Sherif
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  William Sherif
+  will.sherif@gmail.com
+
+  YWxsIHlvdXIgYmFzZSBhcmUgYmVsb25nIHRvIHVz
+
+*/
+#ifndef BASE64_H
+#define BASE64_H
+
+#include <stdio.h>
+#include <stdlib.h>
+
+static const char* b64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+// maps A=>0,B=>1..
+static const unsigned char unb64[]={
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //10 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //20 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //30 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //40 
+  0,   0,   0,  62,   0,   0,   0,  63,  52,  53, //50 
+ 54,  55,  56,  57,  58,  59,  60,  61,   0,   0, //60 
+  0,   0,   0,   0,   0,   0,   1,   2,   3,   4, //70 
+  5,   6,   7,   8,   9,  10,  11,  12,  13,  14, //80 
+ 15,  16,  17,  18,  19,  20,  21,  22,  23,  24, //90 
+ 25,   0,   0,   0,   0,   0,   0,  26,  27,  28, //100 
+ 29,  30,  31,  32,  33,  34,  35,  36,  37,  38, //110 
+ 39,  40,  41,  42,  43,  44,  45,  46,  47,  48, //120 
+ 49,  50,  51,   0,   0,   0,   0,   0,   0,   0, //130 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //140 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //150 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //160 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //170 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //180 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //190 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //200 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //210 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //220 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //230 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //240 
+  0,   0,   0,   0,   0,   0,   0,   0,   0,   0, //250 
+  0,   0,   0,   0,   0,   0, 
+}; // This array has 256 elements
+
+// Converts binary data of length=len to base64 characters.
+// Length of the resultant string is stored in flen
+// (you must pass pointer flen).
+char* base64( const void* binaryData, int len, int *flen )
+{
+  const unsigned char* bin = (const unsigned char*) binaryData;
+  char* res;
+
+  int rc = 0; // result counter
+  int byteNo; // I need this after the loop
+
+  int modulusLen = len % 3;
+  int pad = ((modulusLen&1)<<1) + ((modulusLen&2)>>1); // 2 gives 1 and 1 gives 2, but 0 gives 0.
+
+  *flen = 4*(len + pad)/3;
+  res = (char*) malloc( *flen + 1 ); // and one for the null
+  if( !res )
+    return 0;
+
+  for( byteNo = 0; byteNo <= len-3; byteNo+=3 )
+  {
+    unsigned char BYTE0=bin[byteNo];
+    unsigned char BYTE1=bin[byteNo+1];
+    unsigned char BYTE2=bin[byteNo+2];
+    res[rc++]  = b64[ BYTE0 >> 2 ];
+    res[rc++]  = b64[ ((0x3&BYTE0)<<4) + (BYTE1 >> 4) ];
+    res[rc++]  = b64[ ((0x0f&BYTE1)<<2) + (BYTE2>>6) ];
+    res[rc++]  = b64[ 0x3f&BYTE2 ];
+  }
+
+  if( pad==2 )
+  {
+    res[rc++] = b64[ bin[byteNo] >> 2 ];
+    res[rc++] = b64[ (0x3&bin[byteNo])<<4 ];
+    res[rc++] = '=';
+    res[rc++] = '=';
+  }
+  else if( pad==1 )
+  {
+    res[rc++]  = b64[ bin[byteNo] >> 2 ];
+    res[rc++]  = b64[ ((0x3&bin[byteNo])<<4)   +   (bin[byteNo+1] >> 4) ];
+    res[rc++]  = b64[ (0x0f&bin[byteNo+1])<<2 ];
+    res[rc++] = '=';
+  }
+
+  res[rc]=0; // NULL TERMINATOR!;)
+  return res;
+}
+
+unsigned char* unbase64( const char* ascii, int len, int *flen )
+{
+  const unsigned char *safeAsciiPtr = (const unsigned char*)ascii;
+  unsigned char *bin;
+  int cb=0;
+  int charNo;
+  int pad = 0;
+
+  if ((len <= 0) || (len % 4 != 0)) { // 2 accesses below would be OOB.
+    // catch empty string or incorrect padding size, return NULL as result.
+    *flen=0;
+    return 0;
+  }
+  if( safeAsciiPtr[ len-1 ]=='=' )  ++pad;
+  if( safeAsciiPtr[ len-2 ]=='=' )  ++pad;
+
+  *flen = 3*len/4 - pad;
+  bin = (unsigned char*)malloc( *flen );
+  if( !bin )
+    return 0;
+
+  for( charNo=0; charNo <= len - 4 - pad; charNo+=4 )
+  {
+    int A=unb64[safeAsciiPtr[charNo]];
+    int B=unb64[safeAsciiPtr[charNo+1]];
+    int C=unb64[safeAsciiPtr[charNo+2]];
+    int D=unb64[safeAsciiPtr[charNo+3]];
+
+    bin[cb++] = (A<<2) | (B>>4);
+    bin[cb++] = (B<<4) | (C>>2);
+    bin[cb++] = (C<<6) | (D);
+  }
+
+  if( pad==1 )
+  {
+    int A=unb64[safeAsciiPtr[charNo]];
+    int B=unb64[safeAsciiPtr[charNo+1]];
+    int C=unb64[safeAsciiPtr[charNo+2]];
+    
+    bin[cb++] = (A<<2) | (B>>4);
+    bin[cb++] = (B<<4) | (C>>2);
+  }
+  else if( pad==2 )
+  {
+    int A=unb64[safeAsciiPtr[charNo]];
+    int B=unb64[safeAsciiPtr[charNo+1]];
+
+    bin[cb++] = (A<<2) | (B>>4);
+  }
+
+  return bin;
+}
+
+#endif

source/network/https.c

@@ -1,362 +1,481 @@
-// Code by blackb0x @ GBAtemp.net
+/*
-// This allows the Wii to download from servers that use SNI.
+    Code by blackb0x @ GBAtemp.net
-
+    This allows the Wii to download from servers that use SNI.
-#include <stdio.h>
+*/
-#include <stdlib.h>
-#include <string.h>
 #include <network.h>
 #include <ogc/lwp_watchdog.h>
-#include <unistd.h>
 
-#include "https.h"
+#include "base64.h"
 #include "gecko/gecko.hpp"
-#include "picohttpparser.h"
+#include "https.h"
 #include "memory/mem2.hpp"
+#include "proxysettings.h"
 
 u8 loop;
 WOLFSSL_SESSION *session;
 
-int https_write(HTTP_INFO *httpinfo, char *buffer, int len)
+int https_write(HTTP_INFO *httpinfo, char *buffer, int len, bool proxy)
 {
-    int ret, slen = 0;
+	int ret, pos = 0;
-    while (1)
+	int rlen = (len > BLOCK_SIZE) ? BLOCK_SIZE : len;
-    {
+	u64 time = gettime();
-        if (httpinfo->use_https)
+	while (ticks_to_millisecs(diff_ticks(time, gettime())) < READ_WRITE_TIMEOUT)
-            ret = wolfSSL_write(httpinfo->ssl, &buffer[slen], len - slen);
+	{
-        else
+		if (httpinfo->use_https && !proxy)
-            ret = net_write(httpinfo->sock, &buffer[slen], len - slen);
+			ret = wolfSSL_write(httpinfo->ssl, &buffer[pos], rlen);
-
+		else
-        if (ret == 0)
+			ret = net_write(httpinfo->sock, &buffer[pos], rlen);
-            continue;
+		if (ret > 0)
-        else if (ret <= 0)
+		{
-            return ret; // Timeout would return -1
+			pos += ret;
-
+			rlen = (len - pos > BLOCK_SIZE) ? BLOCK_SIZE : len - pos;
-        slen += ret;
+			if (pos >= len)
-        if (slen >= len)
+				return pos;
-            break;
+			time = gettime();
-    }
+		}
-    return slen;
+		usleep(10000);
+	}
+#ifdef DEBUG_NETWORK
+	gprintf("The connection timed out (write)\n");
+#endif
+	return -ETIMEDOUT;
 }
 
-int https_read(HTTP_INFO *httpinfo, char *buffer, int len)
+int https_read(HTTP_INFO *httpinfo, char *buffer, int len, bool proxy)
 {
-    struct pollsd fds[1];
+	int ret = -ETIMEDOUT;
-    fds[0].socket = httpinfo->sock;
+	u64 time = gettime();
-    fds[0].events = POLLIN;
+	if (len > BLOCK_SIZE)
+		len = BLOCK_SIZE;
+	while (ticks_to_millisecs(diff_ticks(time, gettime())) < READ_WRITE_TIMEOUT)
+	{
+		if (httpinfo->use_https && !proxy)
+			ret = wolfSSL_read(httpinfo->ssl, buffer, len);
+		else
+			ret = net_read(httpinfo->sock, buffer, len);
+		if (ret >= 0)
+			return ret;
+		usleep(10000);
+	}
+#ifdef DEBUG_NETWORK
+	gprintf("The connection timed out (read)\n");
+#endif
+	return -ETIMEDOUT;
+}
 
-    net_fcntl(httpinfo->sock, F_SETFL, 4);
+int send_callback(__attribute__((unused)) WOLFSSL *ssl, char *buf, int sz, void *ctx)
-    switch (net_poll(fds, 1, READ_WRITE_TIMEOUT))
+{
-    {
+	int sent = net_write(*(int *)ctx, buf, sz);
-    case -1:
+	if (sent < 0)
-#ifdef DEBUG_NETWORK
+	{
-        gprintf("net_poll error\n");
+		if (sent == -EAGAIN)
-#endif
+			return WOLFSSL_CBIO_ERR_WANT_WRITE;
-        return -1;
+		else if (sent == -ECONNRESET)
-    case 0:
+			return WOLFSSL_CBIO_ERR_CONN_RST;
-#ifdef DEBUG_NETWORK
+		else if (sent == -EINTR)
-        gprintf("The connection timed out\n");
+			return WOLFSSL_CBIO_ERR_ISR;
-#endif
+		else if (sent == -EPIPE)
-        return -ETIMEDOUT;
+			return WOLFSSL_CBIO_ERR_CONN_CLOSE;
-    default:
+		else
-        net_fcntl(httpinfo->sock, F_SETFL, 0);
+			return WOLFSSL_CBIO_ERR_GENERAL;
-        if (len > 8192)
+	}
-            len = 8192; // 16KB is the max on a Wii, but 8KB is safe
+	return sent;
-        if (httpinfo->use_https)
+}
-            return wolfSSL_read(httpinfo->ssl, buffer, len);
+
-        return net_read(httpinfo->sock, buffer, len);
+int recv_callback(__attribute__((unused)) WOLFSSL *ssl, char *buf, int sz, void *ctx)
-    }
+{
+	int recvd = net_read(*(int *)ctx, buf, sz);
+	if (recvd < 0)
+	{
+		if (recvd == -EAGAIN)
+			return WOLFSSL_CBIO_ERR_WANT_READ;
+		else if (recvd == -ECONNRESET)
+			return WOLFSSL_CBIO_ERR_CONN_RST;
+		else if (recvd == -EINTR)
+			return WOLFSSL_CBIO_ERR_ISR;
+		else if (recvd == -ECONNABORTED)
+			return WOLFSSL_CBIO_ERR_CONN_CLOSE;
+		else
+			return WOLFSSL_CBIO_ERR_GENERAL;
+	}
+	else if (recvd == 0)
+		return WOLFSSL_CBIO_ERR_CONN_CLOSE;
+	return recvd;
 }
 
 void https_close(HTTP_INFO *httpinfo)
 {
-    if (httpinfo->use_https)
+	if (httpinfo->use_https)
-    {
+	{
-        if (wolfSSL_shutdown(httpinfo->ssl) == SSL_SHUTDOWN_NOT_DONE)
+		wolfSSL_shutdown(httpinfo->ssl);
-            wolfSSL_shutdown(httpinfo->ssl);
+		wolfSSL_free(httpinfo->ssl);
-        wolfSSL_free(httpinfo->ssl);
+		wolfSSL_CTX_free(httpinfo->ctx);
-        wolfSSL_CTX_free(httpinfo->ctx);
+	}
-    }
+	net_close(httpinfo->sock);
-    net_close(httpinfo->sock);
 #ifdef DEBUG_NETWORK
-    gprintf("Closed socket and cleaned up\n");
+	gprintf("Closed socket and cleaned up\n");
 #endif
 }
 
-u8 get_header_value(struct phr_header *headers, size_t num_headers, char *dst, char *header)
+bool get_header_value(struct phr_header *headers, size_t num_headers, char *dst, char *header)
 {
-    for (size_t i = 0; i != num_headers; ++i)
+	for (size_t i = 0; i != num_headers; ++i)
-    {
+	{
-        if (strncasecmp(header, headers[i].name, headers[i].name_len) == 0)
+		if (strncasecmp(header, headers[i].name, headers[i].name_len) == 0)
-        {
+		{
-            strlcpy(dst, headers[i].value, headers[i].value_len + 1);
+			strlcpy(dst, headers[i].value, headers[i].value_len + 1);
-            return 1;
+			return true;
-        }
+		}
-    }
+	}
-    return 0;
+	return false;
 }
 
-u8 is_chunked(struct phr_header *headers, size_t num_headers)
+u64 get_header_value_int(struct phr_header *headers, size_t num_headers, char *header)
 {
-    char encoding[10] = {};
+	char header_value[30];
-    if (!get_header_value(headers, num_headers, encoding, "transfer-encoding"))
+	if (!get_header_value(headers, num_headers, header_value, header))
-        return 0;
+		return 0;
-    return (strcasecmp(encoding, "chunked") == 0) ? 1 : 0;
+	return strtoull(header_value, NULL, 0);
 }
 
-u8 read_chunked(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
+bool is_chunked(struct phr_header *headers, size_t num_headers)
 {
-    struct phr_chunked_decoder decoder = {};
+	char encoding[9];
-    size_t capacity = 4096, rsize;
+	if (!get_header_value(headers, num_headers, encoding, "transfer-encoding"))
-    ssize_t rret, pret;
+		return false;
-    decoder.consume_trailer = 1;
+	return (strcasecmp(encoding, "chunked") == 0) ? true : false;
-#ifdef DEBUG_NETWORK
-    gprintf("Data is chunked\n");
-#endif
-    do
-    {
-        if (start_pos == capacity)
-        {
-#ifdef DEBUG_NETWORK
-            gprintf("Increased buffer size\n");
-#endif
-            capacity *= 2;
-            buffer->data = MEM2_realloc(buffer->data, capacity);
-        }
-        while ((rret = https_read(httpinfo, &buffer->data[start_pos], capacity - start_pos)) == -1 && errno == EINTR)
-            ;
-        if (rret <= 0)
-        {
-#ifdef DEBUG_NETWORK
-            gprintf("IO error\n");
-#endif
-            return 0;
-        }
-        rsize = rret;
-        pret = phr_decode_chunked(&decoder, &buffer->data[start_pos], &rsize);
-        if (pret == -1)
-        {
-#ifdef DEBUG_NETWORK
-            gprintf("Parse error\n");
-#endif
-            return 0;
-        }
-        start_pos += rsize;
-    } while (pret == -2);
-    buffer->size = start_pos;
-    buffer->data = MEM2_realloc(buffer->data, buffer->size);
-    return 1;
 }
 
-u8 read_all(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
+bool read_chunked(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
 {
-    size_t capacity = 4096;
+	struct phr_chunked_decoder decoder = {0};
-    ssize_t ret;
+	size_t rsize, capacity = 4096;
+	ssize_t pret;
+	int ret;
+	decoder.consume_trailer = true;
 #ifdef DEBUG_NETWORK
-    gprintf("Data is not chunked\n");
+	gprintf("Data is chunked\n");
 #endif
-    while (1)
+	do
-    {
+	{
-        if (start_pos == capacity)
+		if (start_pos == capacity)
-        {
+		{
 #ifdef DEBUG_NETWORK
-            gprintf("Increased buffer size\n");
+			gprintf("Increased buffer size\n");
 #endif
-            capacity *= 2;
+			capacity *= 2;
-            buffer->data = MEM2_realloc(buffer->data, capacity);
+			buffer->data = MEM2_realloc(buffer->data, capacity);
-        }
+		}
-        while ((ret = https_read(httpinfo, &buffer->data[start_pos], capacity - start_pos)) == -1 && errno == EINTR)
+		if ((ret = https_read(httpinfo, &buffer->data[start_pos], capacity - start_pos, false)) < 1)
-            ;
+			return false;
-        if (ret == 0)
+		rsize = ret;
-            break;
+		pret = phr_decode_chunked(&decoder, &buffer->data[start_pos], &rsize);
-        if (ret < 0)
+		if (pret == -1)
-            return 0;
+		{
+#ifdef DEBUG_NETWORK
+			gprintf("Parse error\n");
+#endif
+			return false;
+		}
+		start_pos += rsize;
+	} while (pret == -2);
+	buffer->size = start_pos;
+	buffer->data = MEM2_realloc(buffer->data, buffer->size);
+	return true;
+}
 
-        start_pos += ret;
+bool read_all(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
-    };
+{
-    buffer->size = start_pos;
+	size_t capacity = 4096;
-    buffer->data = MEM2_realloc(buffer->data, buffer->size);
+	int ret;
-    return 1;
+#ifdef DEBUG_NETWORK
+	gprintf("Data is not chunked\n");
+#endif
+	while (true)
+	{
+		if (start_pos == capacity)
+		{
+#ifdef DEBUG_NETWORK
+			gprintf("Increased buffer size\n");
+#endif
+			capacity *= 2;
+			buffer->data = MEM2_realloc(buffer->data, capacity);
+		}
+		if ((ret = https_read(httpinfo, &buffer->data[start_pos], capacity - start_pos, false)) == 0)
+			break;
+		if (ret < 0)
+			return false;
+		start_pos += ret;
+	};
+	buffer->size = start_pos;
+	buffer->data = MEM2_realloc(buffer->data, buffer->size);
+	return (buffer->content_length > 0 && buffer->content_length == start_pos) ? true : false;
+}
+
+bool get_response(HTTP_INFO *httpinfo, HTTP_RESPONSE *resp, bool proxy)
+{
+	int rret, minor_version;
+	size_t msg_len, prevbuflen;
+	const char *msg;
+
+	while (true)
+	{
+		if ((rret = https_read(httpinfo, &resp->data[resp->buflen], 1, proxy)) < 1)
+			return false;
+		prevbuflen = resp->buflen;
+		resp->buflen += rret;
+		// Parse the response
+		resp->num_headers = sizeof(resp->headers) / sizeof(resp->headers[0]);
+		if ((resp->pret = phr_parse_response(resp->data, resp->buflen, &minor_version, &resp->status, &msg, &msg_len, resp->headers, &resp->num_headers, prevbuflen)) > 0)
+			return true; // Successfully parsed the response
+		else if (resp->pret == -1)
+		{
+#ifdef DEBUG_NETWORK
+			gprintf("pret error %i\n", resp->pret);
+#endif
+			return false;
+		}
+		if (resp->buflen == sizeof(resp->data))
+		{
+#ifdef DEBUG_NETWORK
+			gprintf("buflen error %lu\n", (unsigned long)resp->buflen);
+#endif
+			return false;
+		}
+	}
+	return false;
+}
+
+bool check_ip(char *str)
+{
+	int partA, partB, partC, partD;
+	char extra;
+	// We avoid using regex because it increases the file size
+	return (sscanf(str, "%d.%d.%d.%d%c", &partA, &partB, &partC, &partD, &extra) == 4) ? true : false;
+}
+
+bool connect_proxy(HTTP_INFO *httpinfo, char *host, char *username, char *password)
+{
+	HTTP_RESPONSE response = {0};
+	char request[500];
+	char credentials[65];
+	char *auth;
+	int len;
+	if (username && password)
+	{
+		if(!snprintf(credentials, sizeof(credentials), "%s:%s", username, password))
+			return false;
+		if(!(auth = base64(credentials, strlen(credentials), &len)))
+			return false;
+		len = snprintf(request, sizeof(request), "CONNECT %s:%i HTTP/1.1\r\nProxy-Authorization: Basic %s\r\nUser-Agent: curl/7.55.1\r\n\r\n", host, httpinfo->use_https ? 443 : 80, auth);
+		free(auth);
+	}
+	else
+		len = snprintf(request, sizeof(request), "CONNECT %s:%i HTTP/1.1\r\nUser-Agent: curl/7.55.1\r\n\r\n", host, httpinfo->use_https ? 443 : 80);
+	if (len > 0 && https_write(httpinfo, request, len, true) != len)
+		return false;
+	if (get_response(httpinfo, &response, true))
+	{
+		if (response.status == 200)
+			return true;
+	}
+	return false;
 }
 
 int connect(char *host, u16 port)
 {
-    struct sockaddr_in sin;
+	struct sockaddr_in sin;
-    s32 sock, ret;
+	s32 sock, ret;
-    u64 t;
+	u32 ipaddress;
-
+	u64 time;
-    u32 ipaddress = getipbynamecached(host);
-    if (ipaddress == 0)
-        return -1;
-
-    sock = net_socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
-    if (sock < 0)
-        return sock;
-
-    memset(&sin, 0, sizeof(struct sockaddr_in));
-    sin.sin_family = AF_INET;
-    sin.sin_port = htons(port);
-    sin.sin_addr.s_addr = ipaddress;
 #ifdef DEBUG_NETWORK
-    gprintf("Connecting to %s (%s)\n", host, inet_ntoa(sin.sin_addr));
+	gprintf("Connecting to %s", host);
 #endif
-    net_fcntl(sock, F_SETFL, 4);
+	if ((ipaddress = check_ip(host) ? inet_addr(host) : getipbynamecached(host)) == 0)
-    t = gettime();
+		return -EFAULT;
-    while (1)
+	sin.sin_family = AF_INET;
-    {
+	sin.sin_port = htons(port);
-        if (ticks_to_millisecs(diff_ticks(t, gettime())) > TCP_CONNECT_TIMEOUT)
+	sin.sin_addr.s_addr = ipaddress;
-        {
 #ifdef DEBUG_NETWORK
-            gprintf("The connection timed out\n");
+	if (!check_ip(host))
+		gprintf(" (%s)", inet_ntoa(sin.sin_addr));
 #endif
-            net_close(sock);
+	if ((sock = net_socket(AF_INET, SOCK_STREAM, IPPROTO_IP)) < 0)
-            return -ETIMEDOUT;
+		return sock;
-        }
+	net_fcntl(sock, F_SETFL, 4);
-        ret = net_connect(sock, (struct sockaddr *)&sin, sizeof(sin));
+	time = gettime();
-        if (ret < 0)
+	while (ticks_to_millisecs(diff_ticks(time, gettime())) < CONNECT_TIMEOUT)
-        {
+	{
-            if (ret == -EISCONN)
+		if ((ret = net_connect(sock, (struct sockaddr *)&sin, sizeof(sin))) < 0)
-                break;
+		{
-            if (ret == -EINPROGRESS || ret == -EALREADY)
+			if (ret == -EISCONN)
-            {
+				return sock;
-                usleep(20 * 1000);
+			if (ret == -EINPROGRESS || ret == -EALREADY)
-                continue;
+			{
-            }
+				usleep(10000);
-            net_close(sock);
+				continue;
-            return ret;
+			}
-        }
+			net_close(sock);
-        break;
+			return ret;
-    }
+		}
-    net_fcntl(sock, F_SETFL, 0);
+	}
-    return sock;
+	net_close(sock);
+	return -ETIMEDOUT;
 }
 
 void downloadfile(const char *url, struct download *buffer)
 {
-    HTTP_INFO httpinfo;
+	HTTP_INFO httpinfo = {0};
-    memset(&httpinfo, 0, sizeof(HTTP_INFO));
+	// Always reset the size due to the image downloader looping
-    // Always reset the size due to the image downloader looping
+	buffer->size = 0;
-    buffer->size = 0;
+	// Check if we're using HTTPS and set the path
+	char *path;
+	if (strncmp(url, "https://", 8) == 0)
+	{
+		httpinfo.use_https = 1;
+		path = strchr(url + 8, '/');
+	}
+	else if (strncmp(url, "http://", 7) == 0)
+	{
+		httpinfo.use_https = 0;
+		path = strchr(url + 7, '/');
+	}
+	else
+		return;
+	if (path == NULL)
+		return;
+	// Get the host
+	int domainlength = path - url - 7 - httpinfo.use_https;
+	char host[domainlength + 1];
+	strlcpy(host, url + 7 + httpinfo.use_https, domainlength + 1);
+	// Start connecting
+	if (getProxyAddress() && getProxyPort() > 0)
+		httpinfo.sock = connect(getProxyAddress(), getProxyPort());
+	else
+		httpinfo.sock = connect(host, httpinfo.use_https ? 443 : 80);
 
-    // Check if we're using HTTPS and set the path
+	if (httpinfo.sock < 0)
-    char *path;
+	{
-    if (strncmp(url, "https://", 8) == 0)
-    {
-        httpinfo.use_https = 1;
-        path = strchr(url + 8, '/');
-    }
-    else if (strncmp(url, "http://", 7) == 0)
-    {
-        httpinfo.use_https = 0;
-        path = strchr(url + 7, '/');
-    }
-    else
-        return; // Prevents uninitialized warning
-
-    if (path == NULL)
-        return;
-
-    // Get the host
-    int domainlength = path - url - 7 - httpinfo.use_https;
-    char host[domainlength + 1];
-    strlcpy(host, url + 7 + httpinfo.use_https, domainlength + 1);
-
-    // Start connecting
-    if ((httpinfo.sock = connect(host, httpinfo.use_https ? 443 : 80)) < 0)
-    {
 #ifdef DEBUG_NETWORK
-        gprintf("Failed to connect to %s\n", host);
+		if (httpinfo.sock == -ETIMEDOUT)
+			gprintf("\nFailed to connect (timed out)\n");
+		else
+			gprintf("\nFailed to connect (%i)\n", httpinfo.sock);
 #endif
-        return;
+		return;
-    }
+	}
 #ifdef DEBUG_NETWORK
-    else
+	gprintf("\nConnected\n");
-        gprintf("Connected\n");
 #endif
-
+	// Connect to a web proxy without credentials
-    if (httpinfo.use_https)
+	if (getProxyAddress() && getProxyPort() > 0)
-    {
+	{
-        // Create a new SSL context
+		if (!connect_proxy(&httpinfo, host, getProxyUsername(), getProxyPassword()))
-        // wolfSSLv23_client_method() works, but resume would require further changes
+		{
-        if ((httpinfo.ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL)
-        {
 #ifdef DEBUG_NETWORK
-            gprintf("Failed to create WOLFSSL_CTX\n");
+			gprintf("Failed to connect to proxy (%s:%i)\n", getProxyAddress(), getProxyPort());
 #endif
-            https_close(&httpinfo);
+			https_close(&httpinfo);
-            return;
+			return;
-        }
+		}
-        // Don't verify certificates
+		session = NULL; // Resume doesn't work with a proxy
-        wolfSSL_CTX_set_verify(httpinfo.ctx, WOLFSSL_VERIFY_NONE, 0);
-        // Enable SNI
-        if (wolfSSL_CTX_UseSNI(httpinfo.ctx, 0, host, strlen(host)) != WOLFSSL_SUCCESS)
-        {
 #ifdef DEBUG_NETWORK
-            gprintf("Failed to set SNI\n");
+		gprintf("Proxy is ready to receive\n");
 #endif
-            https_close(&httpinfo);
+	}
-            return;
+	// Setup for HTTPS if it's necessary
-        }
+	if (httpinfo.use_https)
-        // Create a new wolfSSL session
+	{
-        if ((httpinfo.ssl = wolfSSL_new(httpinfo.ctx)) == NULL)
+		// Create a new SSL context
-        {
+		// wolfSSLv23_client_method() works but resume would require further changes
+		if ((httpinfo.ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL)
+		{
 #ifdef DEBUG_NETWORK
-            gprintf("SSL session creation failed\n");
+			gprintf("Failed to create WOLFSSL_CTX\n");
 #endif
-            https_close(&httpinfo);
+			https_close(&httpinfo);
-            return;
+			return;
-        }
+		}
-        // Set the file descriptor
+		// Don't verify certificates
-        if (wolfSSL_set_fd(httpinfo.ssl, httpinfo.sock) != SSL_SUCCESS)
+		wolfSSL_CTX_set_verify(httpinfo.ctx, WOLFSSL_VERIFY_NONE, 0);
-        {
+		// Enable SNI
+		if (wolfSSL_CTX_UseSNI(httpinfo.ctx, 0, host, strlen(host)) != WOLFSSL_SUCCESS)
+		{
 #ifdef DEBUG_NETWORK
-            gprintf("Failed to set SSL file descriptor\n");
+			gprintf("Failed to set SNI\n");
 #endif
-            https_close(&httpinfo);
+			https_close(&httpinfo);
-            return;
+			return;
-        }
+		}
-        // Attempt to resume the session
+		// Custom I/O is essential due to how libogc handles errors
-        if (session != NULL && wolfSSL_set_session(httpinfo.ssl, session) != SSL_SUCCESS)
+		wolfSSL_SetIOSend(httpinfo.ctx, send_callback);
-        {
+		wolfSSL_SetIORecv(httpinfo.ctx, recv_callback);
+		// Create a new wolfSSL session
+		if ((httpinfo.ssl = wolfSSL_new(httpinfo.ctx)) == NULL)
+		{
 #ifdef DEBUG_NETWORK
-            gprintf("Failed to set session (session timed out?)\n");
+			gprintf("SSL session creation failed\n");
 #endif
-            session = NULL;
+			https_close(&httpinfo);
-        }
+			return;
-        // Initiate a handshake
+		}
-        if (wolfSSL_connect(httpinfo.ssl) != SSL_SUCCESS)
+		// Set the file descriptor
-        {
+		if (wolfSSL_set_fd(httpinfo.ssl, httpinfo.sock) != SSL_SUCCESS)
+		{
 #ifdef DEBUG_NETWORK
-            gprintf("SSL handshake failed\n");
+			gprintf("Failed to set SSL file descriptor\n");
 #endif
-            https_close(&httpinfo);
+			https_close(&httpinfo);
-            return;
+			return;
-        }
+		}
-        // Check if we resumed successfully
+		// Attempt to resume the session
-        if (session != NULL && !wolfSSL_session_reused(httpinfo.ssl))
+		if (session != NULL && wolfSSL_set_session(httpinfo.ssl, session) != SSL_SUCCESS)
-        {
+		{
 #ifdef DEBUG_NETWORK
-            gprintf("Failed to resume session\n");
+			gprintf("Failed to set session (session timed out?)\n");
 #endif
-            session = NULL;
+			session = NULL;
-        }
+		}
-        // Cipher info
+		// Initiate a handshake
+		u64 time = gettime();
+		while (true)
+		{
+			if (ticks_to_millisecs(diff_ticks(time, gettime())) > CONNECT_TIMEOUT)
+			{
 #ifdef DEBUG_NETWORK
-        /*char ciphers[4096];
+				gprintf("SSL handshake failed\n");
+#endif
+				https_close(&httpinfo);
+				return;
+			}
+			if (wolfSSL_connect(httpinfo.ssl) == SSL_SUCCESS)
+				break;
+			usleep(10000);
+		}
+		// Check if we resumed successfully
+		if (session != NULL && !wolfSSL_session_reused(httpinfo.ssl))
+		{
+#ifdef DEBUG_NETWORK
+			gprintf("Failed to resume session\n");
+#endif
+			session = NULL;
+		}
+		// Cipher info
+#ifdef DEBUG_NETWORK
+		/*char ciphers[4096];
         wolfSSL_get_ciphers(ciphers, (int)sizeof(ciphers));
         gprintf("All supported ciphers: %s\n", ciphers);*/
-        WOLFSSL_CIPHER *cipher = wolfSSL_get_current_cipher(httpinfo.ssl);
+		WOLFSSL_CIPHER *cipher = wolfSSL_get_current_cipher(httpinfo.ssl);
-        gprintf("Using: %s - %s\n", wolfSSL_get_version(httpinfo.ssl), wolfSSL_CIPHER_get_name(cipher));
+		gprintf("Using: %s - %s\n", wolfSSL_get_version(httpinfo.ssl), wolfSSL_CIPHER_get_name(cipher));
 #endif
-    }
+	}
-
+	// Send our request
-    // Send our request
+	char request[2300];
-    char request[2200];
+	char isgecko[36] = "Cookie: challenge=BitMitigate.com\r\n";
-    char isgecko[36] = "Cookie: challenge=BitMitigate.com\r\n";
+	int ret, len;
-    int ret, len;
+	if (strncmp(host, "www.geckocodes.org", 18) != 0)
-    if (strcmp(host, "www.geckocodes.org") != 0)
+		memset(isgecko, 0, sizeof(isgecko)); // Not geckocodes, so don't set a cookie
-        memset(isgecko, 0, sizeof(isgecko)); // Not geckocodes, so don't set a cookie
+    len = snprintf(request, sizeof(request),
-
-    len = snprintf(request, 2200,
                    "GET %s HTTP/1.1\r\n"
                    "Host: %s\r\n"
                    "User-Agent: WiiFlow-Lite\r\n"
@@ -365,132 +484,95 @@ void downloadfile(const char *url, struct download *buffer)
                    "Pragma: no-cache\r\n"
                    "Cache-Control: no-cache\r\n\r\n",
                    path, host, isgecko);
-    if ((ret = https_write(&httpinfo, request, len)) != len)
+	if ((ret = https_write(&httpinfo, request, len, false)) != len)
-    {
+	{
 #ifdef DEBUG_NETWORK
-        gprintf("https_write error: %i\n", ret);
+		gprintf("https_write error: %i\n", ret);
 #endif
-        https_close(&httpinfo);
+		https_close(&httpinfo);
-        return;
+		return;
-    }
+	}
-
+	// Check if we want a response
-    // Check if we want a response
+	if (buffer->skip_response)
-    if (buffer->skip_response)
+	{
-    {
 #ifdef DEBUG_NETWORK
-        gprintf("Sent request to %s and skipping response\n", host);
+		gprintf("Sent request to %s and skipping response\n", host);
 #endif
-        https_close(&httpinfo);
+		https_close(&httpinfo);
-        return;
+		return;
-    }
+	}
-
+	// Get the response
-    // Get the response
+	HTTP_RESPONSE response = {0};
-    char response[4096];
+	if (!get_response(&httpinfo, &response, false))
-    struct phr_header headers[100];
+	{
-    int pret, minor_version, status, dl_valid;
+		https_close(&httpinfo);
-    size_t buflen = 0, prevbuflen = 0, num_headers, msg_len;
+		return;
-    ssize_t rret;
+	}
-    const char *msg;
+	// The website wants to redirect us
-
+	if (response.status == 301 || response.status == 302)
-    while (1)
+	{
-    {
+		https_close(&httpinfo);
-        // Read the response
+		if (loop == REDIRECT_LIMIT)
-        while ((rret = https_read(&httpinfo, &response[buflen], 1)) == -1 && errno == EINTR)
+		{
-            ;
-        if (rret <= 0)
-        {
 #ifdef DEBUG_NETWORK
-            gprintf("rret error %i\n", rret);
+			gprintf("Reached redirect limit\n");
 #endif
-            https_close(&httpinfo);
+			return;
-            return;
+		}
-        }
+		loop++;
-        prevbuflen = buflen;
+		char location[2049];
-        buflen += rret;
+		if (!get_header_value(response.headers, response.num_headers, location, "location"))
-        // Parse the response
+			return;
-        num_headers = sizeof(headers) / sizeof(headers[0]);
-        pret = phr_parse_response(response, buflen, &minor_version, &status, &msg, &msg_len, headers, &num_headers, prevbuflen);
-        if (pret > 0)
-            break; // Successfully parsed the response
-        else if (pret == -1)
-        {
 #ifdef DEBUG_NETWORK
-            gprintf("pret error %i\n", pret);
+		gprintf("Redirect #%i - %s\n", loop, location);
 #endif
-            https_close(&httpinfo);
+		downloadfile(location, buffer);
-            return;
+		return;
-        }
+	}
-        // Response is incomplete so continue the loop
+	// It's not 301 or 302, so reset the loop
-        if (buflen == sizeof(response))
+	loop = 0;
-        {
+	// We got what we wanted
+	if (response.status == 200)
+	{
+		buffer->data = MEM2_alloc(4096);
+		memcpy(buffer->data, &response.data[response.pret], response.buflen - response.pret);
+		// Determine how to read the data
+		bool dl_valid;
+		if (is_chunked(response.headers, response.num_headers))
+			dl_valid = read_chunked(&httpinfo, buffer, response.buflen - response.pret);
+		else
+		{
+			buffer->content_length = get_header_value_int(response.headers, response.num_headers, "content-length");
+			dl_valid = read_all(&httpinfo, buffer, response.buflen - response.pret);
+		}
+		// Check if the download is incomplete
+		if (!dl_valid || buffer->size < 1)
+		{
+			buffer->size = 0;
+			MEM2_free(buffer->data);
 #ifdef DEBUG_NETWORK
-            gprintf("buflen error %i\n", buflen);
+			gprintf("Removed incomplete download\n");
 #endif
-            https_close(&httpinfo);
+			https_close(&httpinfo);
-            return;
+			return;
-        }
+		}
-    }
+		// Save the session
-
+		if (httpinfo.use_https)
-    // The website wants to redirect us
+			session = wolfSSL_get_session(httpinfo.ssl);
-    if (status == 301 || status == 302)
+		// Finished
-    {
+		https_close(&httpinfo);
-        https_close(&httpinfo);
-        if (loop == REDIRECT_LIMIT)
-        {
 #ifdef DEBUG_NETWORK
-            gprintf("Reached redirect limit\n");
+		gprintf("Download size: %llu\n", (long long)buffer->size);
+		gprintf("------------- HEADERS -------------\n");
+		for (size_t i = 0; i != response.num_headers; ++i)
+			gprintf("%.*s: %.*s\n", (int)response.headers[i].name_len, response.headers[i].name, (int)response.headers[i].value_len, response.headers[i].value);
+		gprintf("------------ COMPLETED ------------\n");
 #endif
-            return;
+		return;
-        }
+	}
-        loop++;
+	// Close on all other status codes
-        char location[2100] = {};
-        if (!get_header_value(headers, num_headers, location, "location"))
-            return;
 #ifdef DEBUG_NETWORK
-        gprintf("Redirect #%i - %s\n", loop, location);
+	gprintf("Status code: %i - %s\n", response.status, url);
 #endif
-        downloadfile(location, buffer);
+	https_close(&httpinfo);
-        return;
-    }
-    // It's not 301 or 302, so reset the loop
-    loop = 0;
-    // We got what we wanted
-    if (status == 200)
-    {
-        buffer->data = MEM2_alloc(4096);
-        memcpy(buffer->data, &response[pret], buflen - pret);
-        // Determine how to read the data
-        if (is_chunked(headers, num_headers))
-            dl_valid = read_chunked(&httpinfo, buffer, buflen - pret);
-        else
-            dl_valid = read_all(&httpinfo, buffer, buflen - pret);
-        // Check if the download is incomplete
-        if (!dl_valid || buffer->size <= 0)
-        {
-            buffer->size = 0;
-            MEM2_free(buffer->data);
-#ifdef DEBUG_NETWORK
-            gprintf("Removed incomplete download\n");
-#endif
-            https_close(&httpinfo);
-            return;
-        }
-        // Save the session
-        if (httpinfo.use_https)
-            session = wolfSSL_get_session(httpinfo.ssl);
-        // Finished
-        https_close(&httpinfo);
-#ifdef DEBUG_NETWORK
-        gprintf("Download size: %llu\n", buffer->size);
-        gprintf("Headers:\n");
-        for (size_t i = 0; i != num_headers; ++i)
-            gprintf("%.*s: %.*s\n", (int)headers[i].name_len, headers[i].name, (int)headers[i].value_len, headers[i].value);
-#endif
-        return;
-    }
-    // Close on all other status codes
-#ifdef DEBUG_NETWORK
-    gprintf("Status code: %i - %s\n", status, url);
-#endif
-    https_close(&httpinfo);
 }

source/network/https.h

@@ -1,11 +1,14 @@
-// Code by blackb0x @ GBAtemp.net
+/*
-// This allows the Wii to download from servers that use SNI.
+    Code by blackb0x @ GBAtemp.net
-
+    This allows the Wii to download from servers that use SNI.
+*/
 #ifndef _HTTPS_H_
 #define _HTTPS_H_
 
 #include <libwolfssl/ssl.h>
+
 #include "dns.h"
+#include "picohttpparser.h"
 
 #ifdef __cplusplus
 extern "C"
@@ -14,26 +17,38 @@ extern "C"
 
 // #define DEBUG_NETWORK
 #define REDIRECT_LIMIT 3
-#define TCP_CONNECT_TIMEOUT 5000
+#define CONNECT_TIMEOUT 10000
-#define READ_WRITE_TIMEOUT 5000
+#define READ_WRITE_TIMEOUT 20000
+#define BLOCK_SIZE 8192
 
-    struct download
+	struct download
-    {
+	{
-        u8 skip_response; // Used by WiinnerTag
+		bool skip_response; // Used by WiinnerTag
-        u64 size;
+		u64 content_length;
-        char *data;
+		u64 size;
-    };
+		char *data;
+	};
 
-    typedef struct
+	typedef struct
-    {
+	{
-        u8 use_https;
+		int status;
-        s32 sock;
+		int pret;
-        WOLFSSL *ssl;
+		size_t num_headers;
-        WOLFSSL_CTX *ctx;
+		size_t buflen;
-    } HTTP_INFO;
+		struct phr_header headers[100];
+		char data[4096];
+	} HTTP_RESPONSE;
 
-    void downloadfile(const char *url, struct download *buffer);
+	typedef struct
-    int wolfSSL_CTX_UseSNI(WOLFSSL_CTX *ctx, unsigned char type, const void *data, unsigned short size);
+	{
+		u8 use_https;
+		s32 sock;
+		WOLFSSL *ssl;
+		WOLFSSL_CTX *ctx;
+	} HTTP_INFO;
+
+	void downloadfile(const char *url, struct download *buffer);
+	int wolfSSL_CTX_UseSNI(WOLFSSL_CTX *ctx, unsigned char type, const void *data, unsigned short size);
 
 #ifdef __cplusplus
 }

source/network/picohttpparser.c

@@ -355,10 +355,12 @@ static const char *parse_request(const char *buf, const char *buf_end, const cha
     ADVANCE_TOKEN(*method, *method_len);
     do {
         ++buf;
+        CHECK_EOF();
     } while (*buf == ' ');
     ADVANCE_TOKEN(*path, *path_len);
     do {
         ++buf;
+        CHECK_EOF();
     } while (*buf == ' ');
     if (*method_len == 0 || *path_len == 0) {
         *ret = -1;
@@ -422,6 +424,7 @@ static const char *parse_response(const char *buf, const char *buf_end, int *min
     }
     do {
         ++buf;
+        CHECK_EOF();
     } while (*buf == ' ');
     /* parse status code, we want at least [:digit:][:digit:][:digit:]<other char> to try to parse */
     if (buf_end - buf < 4) {
@@ -437,7 +440,8 @@ static const char *parse_response(const char *buf, const char *buf_end, int *min
     if (*msg_len == 0) {
         /* ok */
     } else if (**msg == ' ') {
-        /* remove preceding space */
+        /* Remove preceding space. Successful return from `get_token_to_eol` guarantees that we would hit something other than SP
+         * before running past the end of the given buffer. */
         do {
             ++*msg;
             --*msg_len;

source/network/proxysettings.cpp

@@ -0,0 +1,73 @@
+
+#include <ogcsys.h>
+#include <ogc/isfs.h>
+#include <string.h>
+
+#include "proxysettings.h"
+#include "menu/menu.hpp"
+
+#define ALIGN32(x) (((x) + 31) & ~31)
+
+bool proxy_enabled;
+char proxy_address[256];
+u16 proxy_port;
+char proxy_username[33];
+char proxy_password[33];
+
+void getProxyInfo()
+{
+	char *buffer;
+	int fd = ISFS_Open("/shared2/sys/net/02/config.dat", ISFS_OPEN_READ);
+	if (fd >= 0)
+	{
+		fstats stats ATTRIBUTE_ALIGN(32) = {};
+		if(ISFS_GetFileStats(fd, &stats) >= 0)
+		{
+			if (stats.file_length > 0)
+			{
+				buffer = (char*)MEM2_alloc(ALIGN32(stats.file_length));
+				if (buffer)
+				{
+					if(ISFS_Read(fd, buffer, stats.file_length) == 7004)
+					{
+						proxy_enabled = buffer[44];
+						strncpy(proxy_address, buffer + 48, sizeof(proxy_address) - 1);
+						proxy_port = ((buffer[304] & 0xFF) << 8) | (buffer[305] & 0xFF);
+						strncpy(proxy_username, buffer + 306, sizeof(proxy_username) - 1);
+						strncpy(proxy_password, buffer + 338, sizeof(proxy_password) - 1);
+					}
+				}
+				MEM2_free(buffer);
+			}
+		}
+		ISFS_Close(fd);
+	}
+}
+
+char* getProxyAddress()
+{
+	if (mainMenu.proxyUseSystem)
+		return proxy_enabled ? proxy_address : NULL;
+	return (strlen(mainMenu.proxyAddress) > 6) ? mainMenu.proxyAddress : NULL;
+}
+
+u16 getProxyPort()
+{
+	if (mainMenu.proxyUseSystem)
+		return proxy_enabled ? proxy_port : 0;
+	return mainMenu.proxyPort; 
+}
+
+char* getProxyUsername()
+{
+	if (mainMenu.proxyUseSystem)
+		return proxy_enabled ? proxy_username : NULL;
+	return (strlen(mainMenu.proxyUsername) > 0) ? mainMenu.proxyUsername : NULL;
+}
+
+char* getProxyPassword()
+{
+	if (mainMenu.proxyUseSystem)
+		return proxy_enabled ? proxy_password : NULL;
+	return (strlen(mainMenu.proxyPassword) > 0) ? mainMenu.proxyPassword : NULL;
+}

source/network/proxysettings.h

@@ -0,0 +1,18 @@
+
+#ifndef _PROXYSETTINGS_
+#define _PROXYSETTINGS_
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+	void getProxyInfo();
+	char *getProxyAddress();
+	u16 getProxyPort();
+	char *getProxyUsername();
+	char *getProxyPassword();
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PROXYSETTINGS_ */