Merge pull request #1251 from kojo1/openSSL-Compat-201711

openSSL compatibility 201711

src/internal.c

@@ -1544,7 +1544,10 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
 #endif /* !NO_WOLFSSL_SERVER */
 
 #endif /* HAVE_TLS_EXTENSIONS */
-
+#ifdef OPENSSL_EXTRA
+    if(ctx->alpn_cli_protos)
+        XFREE((void *)ctx->alpn_cli_protos, NULL, DYNAMIC_TYPE_OPENSSL);
+#endif
 #ifdef WOLFSSL_STATIC_MEMORY
     if (ctx->heap != NULL) {
 #ifdef WOLFSSL_HEAP_TEST
@@ -16311,6 +16314,21 @@ void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo,
                                                              currTime.tv_usec;
             info->numberPackets++;
         }
+    #ifdef OPENSSL_EXTRA
+        if (ssl->protoMsgCb != NULL && sz > RECORD_HEADER_SZ) {
+            /* version from hex to dec  16 is 16^1, 256 from 16^2 and
+               4096 from 16^3 */
+            int version = (ssl->version.minor & 0X0F) +
+                          (ssl->version.minor & 0xF0) * 16  +
+                          (ssl->version.major & 0X0F) * 256 +
+                          (ssl->version.major & 0xF0) * 4096;
+
+            ssl->protoMsgCb(written, version, type,
+                         (const void *)(data + RECORD_HEADER_SZ),
+                         (size_t)(sz - RECORD_HEADER_SZ),
+                         ssl, ssl->protoMsgCtx);
+        }
+    #endif /* OPENSSL_EXTRA */
     }
 
 

src/ssl.c

@@ -5868,8 +5868,16 @@ int wolfSSL_CertManagerDisableOCSPStapling(WOLFSSL_CERT_MANAGER* cm)
 #endif
     return ret;
 }
-
-
+#if defined(SESSION_CERTS)
+WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL* ssl)
+{
+    WOLFSSL_ENTER("wolfSSL_get_peer_cert_chain");
+    if ((ssl == NULL) || (ssl->session.chain.count == 0))
+        return NULL;
+    else
+        return (WOLF_STACK_OF(WOLFSSL_X509)* )&ssl->session.chain;
+}
+#endif
 #ifdef HAVE_OCSP
 
 
@@ -11456,21 +11464,36 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
 
     long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx)
     {
-        (void)ctx;
         WOLFSSL_ENTER("wolfSSL_CTX_get_options");
         WOLFSSL_MSG("wolfSSL options are set through API calls and macros");
-
-        return 0;
+        if(ctx == NULL)
+            return BAD_FUNC_ARG;
+        return ctx->mask;
     }
 
 
     long wolfSSL_CTX_set_options(WOLFSSL_CTX* ctx, long opt)
     {
+        WOLFSSL *ssl;
         WOLFSSL_ENTER("SSL_CTX_set_options");
-        ctx->mask |= opt;
-        return opt;
+        if(ctx == NULL)
+            return BAD_FUNC_ARG;
+        ssl = wolfSSL_new(ctx);
+        if(ssl == NULL)
+            return SSL_FAILURE;
+        ctx->mask = wolfSSL_set_options(ssl, opt);
+        wolfSSL_free(ssl);
+        return ctx->mask;
     }
 
+    long wolfSSL_CTX_clear_options(WOLFSSL_CTX* ctx, long opt)
+    {
+        WOLFSSL_ENTER("SSL_CTX_clear_options");
+        if(ctx == NULL)
+            return BAD_FUNC_ARG;
+        ctx->mask &= ~opt;
+        return ctx->mask;
+    }
 
     int wolfSSL_set_rfd(WOLFSSL* ssl, int rfd)
     {
@@ -11559,6 +11582,15 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
             return ctx->error_depth;
         return WOLFSSL_FATAL_ERROR;
     }
+
+    void wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx,
+                                  WOLFSSL_X509_STORE_CTX_verify_cb verify_cb)
+    {
+        WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_verify_cb");
+        if(ctx == NULL)
+            return;
+        ctx->verify_cb = verify_cb;
+    }
 #endif
 
 
@@ -12751,7 +12783,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
         WOLFSSL_ENTER("EVP_MD_CTX_new");
         ctx = (WOLFSSL_EVP_MD_CTX*)XMALLOC(sizeof *ctx, NULL,
                                                        DYNAMIC_TYPE_OPENSSL);
-      	if (ctx){
+        if (ctx){
             wolfSSL_EVP_MD_CTX_init(ctx);
         }
         return ctx;
@@ -12761,9 +12793,9 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
     {
         if (ctx) {
             WOLFSSL_ENTER("EVP_MD_CTX_free");
-    		    wolfSSL_EVP_MD_CTX_cleanup(ctx);
-    		    XFREE(ctx, NULL, DYNAMIC_TYPE_OPENSSL);
-    		}
+                wolfSSL_EVP_MD_CTX_cleanup(ctx);
+                XFREE(ctx, NULL, DYNAMIC_TYPE_OPENSSL);
+            }
     }
 
     void wolfSSL_EVP_MD_CTX_init(WOLFSSL_EVP_MD_CTX* ctx)
@@ -14843,7 +14875,7 @@ void wolfSSL_sk_X509_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) {
 
     /* free head of stack */
     if (sk->num == 1) {
-	wolfSSL_X509_free(sk->data.x509);
+    wolfSSL_X509_free(sk->data.x509);
     }
     XFREE(sk, NULL, DYNAMIC_TYPE_X509);
 }
@@ -15250,7 +15282,7 @@ void wolfSSL_sk_ASN1_OBJECT_free(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk)
 
     /* free head of stack */
     if (sk->num == 1) {
-	    wolfSSL_ASN1_OBJECT_free(sk->data.obj);
+        wolfSSL_ASN1_OBJECT_free(sk->data.obj);
     }
     XFREE(sk, NULL, DYNAMIC_TYPE_ASN1);
 }
@@ -17004,8 +17036,7 @@ int wolfSSL_PEM_def_callback(char* name, int num, int w, void* key)
     return 0;
 }
 
-
-unsigned long wolfSSL_set_options(WOLFSSL* ssl, unsigned long op)
+long wolfSSL_set_options(WOLFSSL* ssl, long op)
 {
     word16 haveRSA = 1;
     word16 havePSK = 0;
@@ -17101,10 +17132,20 @@ unsigned long wolfSSL_set_options(WOLFSSL* ssl, unsigned long op)
 }
 
 
-unsigned long wolfSSL_get_options(const WOLFSSL* ssl)
+long wolfSSL_get_options(const WOLFSSL* ssl)
 {
     WOLFSSL_ENTER("wolfSSL_get_options");
+    if(ssl == NULL)
+        return WOLFSSL_FAILURE;
+    return ssl->options.mask;
+}
 
+long wolfSSL_clear_options(WOLFSSL* ssl, long opt)
+{
+    WOLFSSL_ENTER("SSL_clear_options");
+    if(ssl == NULL)
+        return WOLFSSL_FAILURE;
+    ssl->options.mask &= ~opt;
     return ssl->options.mask;
 }
 
@@ -18545,6 +18586,31 @@ int wolfSSL_BN_mod_exp(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *a,
     return WOLFSSL_FAILURE;
 }
 
+/* r = (a * p) % m */
+int wolfSSL_BN_mod_mul(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *a,
+        const WOLFSSL_BIGNUM *p, const WOLFSSL_BIGNUM *m, WOLFSSL_BN_CTX *ctx)
+{
+    int ret;
+
+    WOLFSSL_ENTER("wolfSSL_BN_mod_mul");
+
+    (void) ctx;
+    if (r == NULL || a == NULL || p == NULL || m == NULL) {
+        WOLFSSL_MSG("Bad Argument");
+        return SSL_FAILURE;
+    }
+
+    if ((ret = mp_mulmod((mp_int*)a->internal,(mp_int*)p->internal,
+               (mp_int*)m->internal, (mp_int*)r->internal)) == MP_OKAY) {
+        return SSL_SUCCESS;
+    }
+
+    WOLFSSL_LEAVE("wolfSSL_BN_mod_mul", ret);
+    (void)ret;
+
+    return SSL_FAILURE;
+}
+
 const WOLFSSL_BIGNUM* wolfSSL_BN_value_one(void)
 {
     static WOLFSSL_BIGNUM* bn_one = NULL;
@@ -21401,6 +21467,10 @@ void wolfSSL_OPENSSL_free(void* p)
     XFREE(p, NULL, DYNAMIC_TYPE_OPENSSL);
 }
 
+void *wolfSSL_OPENSSL_malloc(size_t a)
+{
+  return XMALLOC(a, NULL, DYNAMIC_TYPE_OPENSSL);
+}
 #if defined(WOLFSSL_KEY_GEN)
 
 static int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher,
@@ -22656,7 +22726,7 @@ int wolfSSL_EC_POINT_cmp(const WOLFSSL_EC_GROUP *group,
 {
     int ret;
 
-	(void)ctx;
+    (void)ctx;
 
     WOLFSSL_ENTER("wolfSSL_EC_POINT_cmp");
 
@@ -22920,7 +22990,7 @@ int wolfSSL_ECDH_compute_key(void *out, size_t outlen,
 
     (void)KDF;
 
-	WOLFSSL_ENTER("wolfSSL_ECDH_compute_key");
+    WOLFSSL_ENTER("wolfSSL_ECDH_compute_key");
 
     if (out == NULL || pub_key == NULL || pub_key->internal == NULL ||
         ecdh == NULL || ecdh->internal == NULL) {
@@ -24888,6 +24958,10 @@ int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data)
         session->ex_data[idx] = data;
         return WOLFSSL_SUCCESS;
     }
+#else
+    (void)session;
+    (void)idx;
+    (void)data;
 #endif
     return WOLFSSL_FAILURE;
 }
@@ -24917,6 +24991,9 @@ void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION* session, int idx)
 #ifdef HAVE_EX_DATA
     if (session != NULL && idx < MAX_EX_DATA && idx >= 0)
         return session->ex_data[idx];
+#else
+    (void)session;
+    (void)idx;
 #endif
     return NULL;
 }
@@ -25164,17 +25241,6 @@ int wolfSSL_version(WOLFSSL* ssl)
     return WOLFSSL_FAILURE;
 }
 
-
-WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL* ssl)
-{
-    (void)ssl;
-    WOLFSSL_ENTER("wolfSSL_get_peer_cert_chain");
-    WOLFSSL_STUB("wolfSSL_get_peer_cert_chain");
-
-    return NULL;
-}
-
-
 WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl)
 {
     WOLFSSL_ENTER("wolfSSL_get_SSL_CTX");
@@ -25256,14 +25322,9 @@ void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX* ctx, void* arg)
         ctx->sniRecvCbArg = arg;
 }
 
-
-long wolfSSL_CTX_clear_options(WOLFSSL_CTX* ctx, long opt)
-{
-    WOLFSSL_ENTER("SSL_CTX_clear_options");
-    WOLFSSL_STUB("SSL_CTX_clear_options");
-    (void)ctx;
-    (void)opt;
-    return opt;
+void wolfSSL_ERR_load_BIO_strings(void) {
+    WOLFSSL_ENTER("ERR_load_BIO_strings");
+    /* do nothing */
 }
 
 void wolfSSL_THREADID_set_callback(void(*threadid_func)(void*))
@@ -26554,6 +26615,7 @@ WOLFSSL_API int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, char* names)
 #endif
 
 #ifdef OPENSSL_EXTRA
+#ifndef NO_WOLFSSL_STUB
 int wolfSSL_CTX_set_msg_callback(WOLFSSL_CTX *ctx, SSL_Msg_Cb cb)
 {
     WOLFSSL_STUB("SSL_CTX_set_msg_callback");
@@ -26561,28 +26623,75 @@ int wolfSSL_CTX_set_msg_callback(WOLFSSL_CTX *ctx, SSL_Msg_Cb cb)
     (void)cb;
     return WOLFSSL_FAILURE;
 }
+#endif
+
 int wolfSSL_set_msg_callback(WOLFSSL *ssl, SSL_Msg_Cb cb)
 {
-    WOLFSSL_STUB("SSL_set_msg_callback");
-    (void)ssl;
-    (void)cb;
-    return WOLFSSL_FAILURE;
+  WOLFSSL_ENTER("wolfSSL_set_msg_callback");
+
+  if (ssl == NULL) {
+      return SSL_FAILURE;
+  }
+
+  if (cb != NULL) {
+      ssl->toInfoOn = 1;
+  }
+
+  ssl->protoMsgCb = cb;
+  return SSL_SUCCESS;
 }
-int wolfSSL_CTX_set_msg_callback_arg(WOLFSSL_CTX *ctx, void* arg)
+
+#ifndef NO_WOLFSSL_STUB
+void wolfSSL_CTX_set_msg_callback_arg(WOLFSSL_CTX *ctx, void* arg)
 {
     WOLFSSL_STUB("SSL_CTX_set_msg_callback_arg");
     (void)ctx;
     (void)arg;
-    return WOLFSSL_FAILURE;
+    return;
 }
-int wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg)
+#endif
+
+void wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg)
 {
-    WOLFSSL_STUB("SSL_set_msg_callback_arg");
-    (void)ssl;
-    (void)arg;
-    return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("wolfSSL_set_msg_callback_arg");
+    ssl->protoMsgCtx = arg;
+    return;
 }
-#endif
 
+void *wolfSSL_OPENSSL_memdup(const void *data, size_t siz, const char* file, int line)
+{
+    void *ret;
+    (void)file;
+    (void)line;
+
+    if (data == NULL || siz >= INT_MAX)
+        return NULL;
+
+    ret = OPENSSL_malloc(siz);
+    if (ret == NULL) {
+        return NULL;
+    }
+    return XMEMCPY(ret, data, siz);
+}
+
+int wolfSSL_CTX_set_alpn_protos(WOLFSSL_CTX *ctx, const unsigned char *p,
+                            unsigned int p_len)
+{
+    WOLFSSL_ENTER("wolfSSL_CTX_set_alpn_protos");
+    if(ctx == NULL)
+        return BAD_FUNC_ARG;
+    if((void *)ctx->alpn_cli_protos != NULL)
+        wolfSSL_OPENSSL_free((void *)ctx->alpn_cli_protos);
+    ctx->alpn_cli_protos =
+        (const unsigned char *)wolfSSL_OPENSSL_memdup(p, p_len, NULL, 0);
+    if (ctx->alpn_cli_protos == NULL) {
+        return SSL_FAILURE;
+    }
+    ctx->alpn_cli_protos_len = p_len;
+
+    return SSL_SUCCESS;
+}
+
+#endif
 
 #endif /* WOLFCRYPT_ONLY */

tests/api.c

@@ -45,6 +45,8 @@
 #include <wolfssl/ssl.h>  /* compatibility layer */
 #include <wolfssl/test.h>
 #include <tests/unit.h>
+#include "examples/server/server.h"
+     /* for testing compatibility layer callbacks */
 
 #ifndef NO_MD5
     #include <wolfssl/wolfcrypt/md5.h>
@@ -160,6 +162,10 @@
         #include <wolfssl/wolfcrypt/srp.h>
 #endif
 
+#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN)
+#include "wolfssl/internal.h" /* for testing SSL_get_peer_cert_chain */
+#endif
+
 /* enable testing buffer load functions */
 #ifndef USE_CERT_BUFFERS_2048
     #define USE_CERT_BUFFERS_2048
@@ -1007,8 +1013,8 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
     } while (ret != WOLFSSL_SUCCESS && err == WC_PENDING_E);
 
     if (ret != WOLFSSL_SUCCESS) {
-        char buffer[WOLFSSL_MAX_ERROR_SZ];
-        printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer));
+        char buff[WOLFSSL_MAX_ERROR_SZ];
+        printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buff));
         /*err_sys("SSL_accept failed");*/
         goto done;
     }
@@ -1056,7 +1062,9 @@ done:
 }
 #endif /* !NO_WOLFSSL_SERVER */
 
-static void test_client_nofail(void* args)
+typedef int (*cbType)(WOLFSSL_CTX *ctx, WOLFSSL *ssl);
+
+static void test_client_nofail(void* args, void *cb)
 {
     SOCKET_T sockfd = 0;
 
@@ -1132,12 +1140,14 @@ static void test_client_nofail(void* args)
     } while (ret != WOLFSSL_SUCCESS && err == WC_PENDING_E);
 
     if (ret != WOLFSSL_SUCCESS) {
-        char buffer[WOLFSSL_MAX_ERROR_SZ];
-        printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer));
+        char buff[WOLFSSL_MAX_ERROR_SZ];
+        printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buff));
         /*err_sys("SSL_connect failed");*/
         goto done2;
     }
 
+    if(cb != NULL)((cbType)cb)(ctx, ssl);
+
     if (wolfSSL_write(ssl, msg, msgSz) != msgSz)
     {
         /*err_sys("SSL_write failed");*/
@@ -1268,8 +1278,8 @@ static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args)
     } while (ret != WOLFSSL_SUCCESS && err == WC_PENDING_E);
 
     if (ret != WOLFSSL_SUCCESS) {
-        char buffer[WOLFSSL_MAX_ERROR_SZ];
-        printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer));
+        char buff[WOLFSSL_MAX_ERROR_SZ];
+        printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buff));
         /*err_sys("SSL_accept failed");*/
     }
     else {
@@ -1388,8 +1398,8 @@ static void run_wolfssl_client(void* args)
     } while (ret != WOLFSSL_SUCCESS && err == WC_PENDING_E);
 
     if (ret != WOLFSSL_SUCCESS) {
-        char buffer[WOLFSSL_MAX_ERROR_SZ];
-        printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer));
+        char buff[WOLFSSL_MAX_ERROR_SZ];
+        printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buff));
         /*err_sys("SSL_connect failed");*/
     }
     else {
@@ -1465,7 +1475,7 @@ static void test_wolfSSL_read_write(void)
 
     start_thread(test_server_nofail, &server_args, &serverThread);
     wait_tcp_ready(&server_args);
-    test_client_nofail(&client_args);
+    test_client_nofail(&client_args, NULL);
     join_thread(serverThread);
 
     AssertTrue(client_args.return_code);
@@ -9769,15 +9779,15 @@ static void test_wolfSSL_tmp_dh(void)
 static void test_wolfSSL_ctrl(void)
 {
     #if defined(OPENSSL_EXTRA)
-    byte buffer[5300];
+    byte buff[5300];
     BIO* bio;
     int  bytes;
     BUF_MEM* ptr = NULL;
 
     printf(testingFmt, "wolfSSL_crtl()");
 
-    bytes = sizeof(buffer);
-    bio = BIO_new_mem_buf((void*)buffer, bytes);
+    bytes = sizeof(buff);
+    bio = BIO_new_mem_buf((void*)buff, bytes);
     AssertNotNull(bio);
     AssertNotNull(BIO_s_socket());
 
@@ -9965,7 +9975,7 @@ static void test_wolfSSL_ERR_peek_last_error_line(void)
 #ifndef SINGLE_THREADED
     start_thread(test_server_nofail, &server_args, &serverThread);
     wait_tcp_ready(&server_args);
-    test_client_nofail(&client_args);
+    test_client_nofail(&client_args, NULL);
     join_thread(serverThread);
 #endif
 
@@ -10293,7 +10303,17 @@ static void test_wolfSSL_BN(void)
     /* check result  3^2 mod 5 */
     value[0] = 0;
     AssertIntEQ(BN_bn2bin(d, value), WOLFSSL_SUCCESS);
-    AssertIntEQ((int)(value[0] & 0x04), 4);
+    AssertIntEQ(BN_bn2bin(d, value), SSL_SUCCESS);
+    AssertIntEQ((int)(value[0]), 4);
+
+    /* a*b mod c = */
+    AssertIntEQ(BN_mod_mul(d, NULL, b, c, NULL), SSL_FAILURE);
+    AssertIntEQ(BN_mod_mul(d, a, b, c, NULL), SSL_SUCCESS);
+
+    /* check result  3*2 mod 5 */
+    value[0] = 0;
+    AssertIntEQ(BN_bn2bin(d, value), SSL_SUCCESS);
+    AssertIntEQ((int)(value[0]), 1);
 
     /* BN_mod_inverse test */
     value[0] = 0;
@@ -10335,6 +10355,96 @@ static void test_wolfSSL_BN(void)
     #endif /* defined(OPENSSL_EXTRA) && !defined(NO_ASN) */
 }
 
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
+   !defined(NO_FILESYSTEM) && !defined(NO_RSA)
+#define TEST_ARG 0x1234
+static void msg_cb(int write_p, int version, int content_type,
+                   const void *buf, size_t len, SSL *ssl, void *arg)
+{
+    (void)write_p;
+    (void)version;
+    (void)content_type;
+    (void)buf;
+    (void)len;
+    (void)ssl;
+
+    AssertTrue(arg == (void*)TEST_ARG);
+}
+#endif
+
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
+   !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL) && \
+   !defined(NO_OLD_TLS) && defined(HAVE_IO_TESTS_DEPENDENCIES)
+#ifndef SINGLE_THREADED
+static int msgCb(SSL_CTX *ctx, SSL *ssl)
+{
+    (void) ctx;
+    (void) ssl;
+    printf("\n===== msgcb called ====\n");
+    #if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN)
+    AssertTrue(SSL_get_peer_cert_chain(ssl) != NULL);
+    AssertIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 1);
+    #endif
+    return SSL_SUCCESS;
+}
+#endif
+#endif
+
+static void test_wolfSSL_msgCb(void)
+{
+  #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
+     !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL) && \
+     !defined(NO_OLD_TLS) && defined(HAVE_IO_TESTS_DEPENDENCIES)
+
+    tcp_ready ready;
+    func_args client_args;
+    func_args server_args;
+    #ifndef SINGLE_THREADED
+    THREAD_TYPE serverThread;
+    #endif
+    callback_functions client_cb;
+    callback_functions server_cb;
+
+    printf(testingFmt, "test_wolfSSL_msgCb");
+
+/* create a failed connection and inspect the error */
+#ifdef WOLFSSL_TIRTOS
+    fdOpenSession(Task_self());
+#endif
+    XMEMSET(&client_args, 0, sizeof(func_args));
+    XMEMSET(&server_args, 0, sizeof(func_args));
+
+    StartTCP();
+    InitTcpReady(&ready);
+
+    client_cb.method  = wolfTLSv1_2_client_method;
+    server_cb.method  = wolfTLSv1_2_server_method;
+
+    server_args.signal    = &ready;
+    server_args.callbacks = &server_cb;
+    client_args.signal    = &ready;
+    client_args.callbacks = &client_cb;
+    client_args.return_code = TEST_FAIL;
+
+    #ifndef SINGLE_THREADED
+    start_thread(test_server_nofail, &server_args, &serverThread);
+    wait_tcp_ready(&server_args);
+    test_client_nofail(&client_args, (void *)msgCb);
+    join_thread(serverThread);
+    AssertTrue(client_args.return_code);
+    AssertTrue(server_args.return_code);
+    #endif
+
+    FreeTcpReady(&ready);
+
+#ifdef WOLFSSL_TIRTOS
+    fdOpenSession(Task_self());
+#endif
+
+    printf(resultFmt, passed);
+
+#endif
+}
 
 static void test_wolfSSL_set_options(void)
 {
@@ -10343,11 +10453,40 @@ static void test_wolfSSL_set_options(void)
     SSL*     ssl;
     SSL_CTX* ctx;
 
+    unsigned char protos[] = {
+        7, 't', 'l', 's', '/', '1', '.', '2',
+        8, 'h', 't', 't', 'p', '/', '1', '.', '1'
+    };
+    unsigned int len = sizeof(protos);
+
+    void *arg = (void *)TEST_ARG;
+
     printf(testingFmt, "wolfSSL_set_options()");
 
     AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method()));
-    AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM));
-    AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM));
+    AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM));
+    AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM));
+
+    AssertTrue(SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1);
+    AssertTrue(SSL_CTX_get_options(ctx) == SSL_OP_NO_TLSv1);
+
+    AssertIntGT((int)SSL_CTX_set_options(ctx, (SSL_OP_COOKIE_EXCHANGE |
+                                                              SSL_OP_NO_SSLv2)), 0);
+    AssertTrue((SSL_CTX_set_options(ctx, SSL_OP_COOKIE_EXCHANGE) &
+                                 SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE);
+    AssertTrue((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) &
+                                           SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2);
+    AssertTrue((SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION) &
+                                   SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION);
+    AssertNull((SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION) &
+                                               SSL_OP_NO_COMPRESSION));
+
+    SSL_CTX_free(ctx);
+
+    AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method()));
+    AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM));
+    AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM));
+
     AssertNotNull(ssl = SSL_new(ctx));
 
     AssertTrue(SSL_set_options(ssl, SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1);
@@ -10361,6 +10500,13 @@ static void test_wolfSSL_set_options(void)
                                        SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2);
     AssertTrue((SSL_set_options(ssl, SSL_OP_NO_COMPRESSION) &
                                SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION);
+    AssertNull((SSL_clear_options(ssl, SSL_OP_NO_COMPRESSION) &
+                                       SSL_OP_NO_COMPRESSION));
+
+    AssertTrue(SSL_set_msg_callback(ssl, msg_cb) == SSL_SUCCESS);
+    SSL_set_msg_callback_arg(ssl, arg);
+
+    AssertTrue(SSL_CTX_set_alpn_protos(ctx, protos, len) == SSL_SUCCESS);
 
     SSL_free(ssl);
     SSL_CTX_free(ctx);
@@ -10370,6 +10516,29 @@ static void test_wolfSSL_set_options(void)
              !defined(NO_FILESYSTEM) && !defined(NO_RSA) */
 }
 
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS)
+static int verify_cb(int ok, X509_STORE_CTX *ctx)
+{
+    (void) ok;
+    (void) ctx;
+    printf("ENTER verify_cb\n");
+    return SSL_SUCCESS;
+}
+#endif
+
+static void test_wolfSSL_X509_STORE_CTX(void)
+{
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS)
+    X509_STORE_CTX *ctx   = NULL ;
+
+    printf(testingFmt, "test_wolfSSL_X509_STORE_CTX(()");
+    AssertNotNull(ctx = X509_STORE_CTX_new());
+    X509_STORE_CTX_set_verify_cb(ctx, (void *)verify_cb);
+    X509_STORE_CTX_free(ctx);
+    printf(resultFmt, passed);
+    #endif
+}
+
 /* Testing  wolfSSL_set_tlsext_status_type funciton.
  * PRE: OPENSSL and HAVE_CERTIFICATE_STATUS_REQUEST defined.
  */
@@ -10395,7 +10564,7 @@ static void test_wolfSSL_PEM_read_bio(void)
 {
     #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
        !defined(NO_FILESYSTEM) && !defined(NO_RSA)
-    byte buffer[5300];
+    byte buff[5300];
     FILE *f;
     int  bytes;
     X509* x509;
@@ -10404,11 +10573,11 @@ static void test_wolfSSL_PEM_read_bio(void)
     printf(testingFmt, "wolfSSL_PEM_read_bio()");
 
     AssertNotNull(f = fopen(cliCertFile, "rb"));
-    bytes = (int)fread(buffer, 1, sizeof(buffer), f);
+    bytes = (int)fread(buff, 1, sizeof(buff), f);
     fclose(f);
 
     AssertNull(x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL));
-    AssertNotNull(bio = BIO_new_mem_buf((void*)buffer, bytes));
+    AssertNotNull(bio = BIO_new_mem_buf((void*)buff, bytes));
     AssertNotNull(x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL));
     AssertIntEQ((int)BIO_set_fd(bio, 0, BIO_NOCLOSE), 1);
 
@@ -10424,7 +10593,7 @@ static void test_wolfSSL_PEM_read_bio(void)
 static void test_wolfSSL_BIO(void)
 {
     #if defined(OPENSSL_EXTRA)
-    byte buffer[20];
+    byte buff[20];
     BIO* bio1;
     BIO* bio2;
     BIO* bio3;
@@ -10434,7 +10603,7 @@ static void test_wolfSSL_BIO(void)
     printf(testingFmt, "wolfSSL_BIO()");
 
     for (i = 0; i < 20; i++) {
-        buffer[i] = i;
+        buff[i] = i;
     }
 
     /* Creating and testing type BIO_s_bio */
@@ -10443,25 +10612,25 @@ static void test_wolfSSL_BIO(void)
     AssertNotNull(bio3 = BIO_new(BIO_s_bio()));
 
     /* read/write before set up */
-    AssertIntEQ(BIO_read(bio1, buffer, 2),  WOLFSSL_BIO_UNSET);
-    AssertIntEQ(BIO_write(bio1, buffer, 2), WOLFSSL_BIO_UNSET);
+    AssertIntEQ(BIO_read(bio1, buff, 2),  WOLFSSL_BIO_UNSET);
+    AssertIntEQ(BIO_write(bio1, buff, 2), WOLFSSL_BIO_UNSET);
 
     AssertIntEQ(BIO_set_write_buf_size(bio1, 20), WOLFSSL_SUCCESS);
     AssertIntEQ(BIO_set_write_buf_size(bio2, 8),  WOLFSSL_SUCCESS);
     AssertIntEQ(BIO_make_bio_pair(bio1, bio2),    WOLFSSL_SUCCESS);
 
     AssertIntEQ(BIO_nwrite(bio1, &bufPt, 10), 10);
-    XMEMCPY(bufPt, buffer, 10);
-    AssertIntEQ(BIO_write(bio1, buffer + 10, 10), 10);
+    XMEMCPY(bufPt, buff, 10);
+    AssertIntEQ(BIO_write(bio1, buff + 10, 10), 10);
     /* write buffer full */
-    AssertIntEQ(BIO_write(bio1, buffer, 10), WOLFSSL_BIO_ERROR);
+    AssertIntEQ(BIO_write(bio1, buff, 10), WOLFSSL_BIO_ERROR);
     AssertIntEQ(BIO_flush(bio1), WOLFSSL_SUCCESS);
     AssertIntEQ((int)BIO_ctrl_pending(bio1), 0);
 
     /* write the other direction with pair */
     AssertIntEQ((int)BIO_nwrite(bio2, &bufPt, 10), 8);
-    XMEMCPY(bufPt, buffer, 8);
-    AssertIntEQ(BIO_write(bio2, buffer, 10), WOLFSSL_BIO_ERROR);
+    XMEMCPY(bufPt, buff, 8);
+    AssertIntEQ(BIO_write(bio2, buff, 10), WOLFSSL_BIO_ERROR);
 
     /* try read */
     AssertIntEQ((int)BIO_ctrl_pending(bio1), 8);
@@ -10492,7 +10661,7 @@ static void test_wolfSSL_BIO(void)
 
     /* fill write buffer, read only small amount then write again */
     AssertIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20);
-    XMEMCPY(bufPt, buffer, 20);
+    XMEMCPY(bufPt, buff, 20);
     AssertIntEQ(BIO_nread(bio3, &bufPt, 4), 4);
     for (i = 0; i < 4; i++) {
         AssertIntEQ(bufPt[i], i);
@@ -10510,7 +10679,7 @@ static void test_wolfSSL_BIO(void)
     /* should read only to end of write buffer then need to read again */
     AssertIntEQ(BIO_nread(bio3, &bufPt, 20), 16);
     for (i = 0; i < 16; i++) {
-        AssertIntEQ(bufPt[i], buffer[4 + i]);
+        AssertIntEQ(bufPt[i], buff[4 + i]);
     }
 
     AssertIntEQ(BIO_nread(bio3, NULL, 0), WOLFSSL_FAILURE);
@@ -10527,14 +10696,14 @@ static void test_wolfSSL_BIO(void)
 
     /* write and fill up buffer checking reset of index state */
     AssertIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20);
-    XMEMCPY(bufPt, buffer, 20);
+    XMEMCPY(bufPt, buff, 20);
 
     /* test reset on data in bio1 write buffer */
     AssertIntEQ(BIO_reset(bio1), 0);
     AssertIntEQ((int)BIO_ctrl_pending(bio3), 0);
     AssertIntEQ(BIO_nread(bio3, &bufPt, 3), WOLFSSL_BIO_ERROR);
     AssertIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20);
-    XMEMCPY(bufPt, buffer, 20);
+    XMEMCPY(bufPt, buff, 20);
     AssertIntEQ(BIO_nread(bio3, &bufPt, 6), 6);
     for (i = 0; i < 6; i++) {
         AssertIntEQ(bufPt[i], i);
@@ -11291,12 +11460,16 @@ void ApiTest(void)
     test_wolfSSL_EVP_MD_hmac_signing();
     test_wolfSSL_CTX_add_extra_chain_cert();
     test_wolfSSL_ERR_peek_last_error_line();
+    test_wolfSSL_set_options();
+    test_wolfSSL_X509_STORE_CTX();
+    test_wolfSSL_msgCb();
     test_wolfSSL_X509_STORE_set_flags();
     test_wolfSSL_X509_LOOKUP_load_file();
     test_wolfSSL_X509_NID();
     test_wolfSSL_X509_STORE_CTX_set_time();
     test_wolfSSL_BN();
     test_wolfSSL_set_options();
+    test_wolfSSL_X509_STORE_CTX();
     test_wolfSSL_PEM_read_bio();
     test_wolfSSL_BIO();
     test_wolfSSL_DES_ecb_encrypt();

wolfssl/error-ssl.h

@@ -181,7 +181,7 @@ enum wolfSSL_ErrorCodes {
 };
 
 
-#ifdef WOLFSSL_CALLBACKS
+#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
     enum {
         MIN_PARAM_ERR = UNSUPPORTED_SUITE,
         MAX_PARAM_ERR = MIN_PARAM_ERR - 10

wolfssl/internal.h

@@ -2316,6 +2316,8 @@ struct WOLFSSL_CTX {
     word32            disabledCurves;   /* curves disabled by user */
     byte              verifyDepth;      /* maximum verification depth */
     unsigned long     mask;             /* store SSL_OP_ flags */
+    const unsigned char *alpn_cli_protos;/* ALPN client protocol list */
+    unsigned int         alpn_cli_protos_len;
 #endif
     CallbackIORecv CBIORecv;
     CallbackIOSend CBIOSend;
@@ -3400,6 +3402,12 @@ struct WOLFSSL {
 #ifdef WOLFSSL_CALLBACKS
     HandShakeInfo   handShakeInfo;      /* info saved during handshake */
     TimeoutInfo     timeoutInfo;        /* info saved during handshake */
+#endif
+#ifdef OPENSSL_EXTRA
+    SSL_Msg_Cb      protoMsgCb;         /* inspect protocol message callback */
+    void*           protoMsgCtx;        /* user set context with msg callback */
+#endif
+#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
     byte            hsInfoOn;           /* track handshake info        */
     byte            toInfoOn;           /* track timeout   info        */
 #endif

wolfssl/openssl/bn.h

@@ -37,6 +37,8 @@ WOLFSSL_API int wolfSSL_BN_mod(WOLFSSL_BIGNUM*, const WOLFSSL_BIGNUM*,
                              const WOLFSSL_BIGNUM*, const WOLFSSL_BN_CTX*);
 WOLFSSL_API int wolfSSL_BN_mod_exp(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *a,
         const WOLFSSL_BIGNUM *p, const WOLFSSL_BIGNUM *m, WOLFSSL_BN_CTX *ctx);
+WOLFSSL_API int wolfSSL_BN_mod_mul(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *a,
+        const WOLFSSL_BIGNUM *b, const WOLFSSL_BIGNUM *m, WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API const WOLFSSL_BIGNUM* wolfSSL_BN_value_one(void);
 
 
@@ -112,6 +114,7 @@ typedef WOLFSSL_BN_GENCB BN_GENCB;
 
 #define BN_mod       wolfSSL_BN_mod
 #define BN_mod_exp   wolfSSL_BN_mod_exp
+#define BN_mod_mul   wolfSSL_BN_mod_mul
 #define BN_sub       wolfSSL_BN_sub
 #define BN_value_one wolfSSL_BN_value_one
 

wolfssl/openssl/crypto.h

@@ -42,9 +42,6 @@ typedef void (CRYPTO_free_func)(void*parent, void*ptr, CRYPTO_EX_DATA *ad, int i
 #define CRYPTO_THREAD_r_lock wc_LockMutex
 #define CRYPTO_THREAD_unlock wc_UnLockMutex
 
-#define OPENSSL_malloc(a)  XMALLOC(a, NULL, DYNAMIC_TYPE_OPENSSL)
-
 #endif /* HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */
 
 #endif /* header */
-

wolfssl/openssl/ssl.h

@@ -220,6 +220,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
 #define X509_digest wolfSSL_X509_digest
 #define X509_free wolfSSL_X509_free
 #define OPENSSL_free wolfSSL_OPENSSL_free
+#define OPENSSL_malloc wolfSSL_OPENSSL_malloc
 
 #define OCSP_parse_url wolfSSL_OCSP_parse_url
 #define SSLv23_client_method wolfSSLv23_client_method
@@ -294,6 +295,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
 #define X509_STORE_CTX_get_current_cert wolfSSL_X509_STORE_CTX_get_current_cert
 #define X509_STORE_add_cert             wolfSSL_X509_STORE_add_cert
 #define X509_STORE_set_flags            wolfSSL_X509_STORE_set_flags
+#define X509_STORE_CTX_set_verify_cb    wolfSSL_X509_STORE_CTX_set_verify_cb
 #define X509_STORE_CTX_get_chain        wolfSSL_X509_STORE_CTX_get_chain
 #define X509_STORE_CTX_get_error wolfSSL_X509_STORE_CTX_get_error
 #define X509_STORE_CTX_get_error_depth wolfSSL_X509_STORE_CTX_get_error_depth
@@ -359,7 +361,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
 
 #define SSL_CTX_set_timeout(ctx, to) wolfSSL_CTX_set_timeout(ctx, (unsigned int) to)
 #define SSL_CTX_set_info_callback wolfSSL_CTX_set_info_callback
-
+#define SSL_CTX_set_alpn_protos   wolfSSL_CTX_set_alpn_protos
 #define ERR_peek_error wolfSSL_ERR_peek_error
 #define ERR_peek_last_error_line  wolfSSL_ERR_peek_last_error_line
 #define ERR_peek_errors_fp         wolfSSL_ERR_peek_errors_fp
@@ -412,8 +414,11 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
 
 #define RAND_status wolfSSL_RAND_status
 #define RAND_bytes wolfSSL_RAND_bytes
-#define SSLv23_server_method wolfSSLv23_server_method
-#define SSL_CTX_set_options wolfSSL_CTX_set_options
+#define SSLv23_server_method  wolfSSLv23_server_method
+#define SSL_CTX_set_options   wolfSSL_CTX_set_options
+#define SSL_CTX_get_options   wolfSSL_CTX_get_options
+#define SSL_CTX_clear_options wolfSSL_CTX_clear_options
+
 #define SSL_CTX_check_private_key wolfSSL_CTX_check_private_key
 
 #define ERR_free_strings wolfSSL_ERR_free_strings
@@ -430,6 +435,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
 
 #define SSL_CTX_set_session_id_context wolfSSL_CTX_set_session_id_context
 #define SSL_get_peer_certificate wolfSSL_get_peer_certificate
+#define SSL_get_peer_cert_chain  wolfSSL_get_peer_cert_chain
 
 #define SSL_want_read wolfSSL_want_read
 #define SSL_want_write wolfSSL_want_write
@@ -555,6 +561,7 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
 
 #define SSL_set_options      wolfSSL_set_options
 #define SSL_get_options      wolfSSL_get_options
+#define SSL_clear_options    wolfSSL_clear_options
 #define SSL_set_tmp_dh       wolfSSL_set_tmp_dh
 #define SSL_clear_num_renegotiations    wolfSSL_clear_num_renegotiations
 #define SSL_total_renegotiations       wolfSSL_total_renegotiations
@@ -652,7 +659,7 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
 #define SSL_version                      wolfSSL_version
 #define SSL_get_state                    wolfSSL_get_state
 #define SSL_state_string_long            wolfSSL_state_string_long
-#define SSL_get_peer_cert_chain          wolfSSL_get_peer_cert_chain
+
 #define sk_X509_NAME_value               wolfSSL_sk_X509_NAME_value
 #define sk_X509_value                    wolfSSL_sk_X509_value
 #define SSL_SESSION_get_ex_data          wolfSSL_SESSION_get_ex_data
@@ -730,7 +737,7 @@ typedef WOLFSSL_ASN1_BIT_STRING    ASN1_BIT_STRING;
 
 
 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
-    defined(WOLFSSL_MYSQL_COMPATIBLE)
+    defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA)
 
 #include <wolfssl/error-ssl.h>
 
@@ -774,6 +781,7 @@ typedef WOLFSSL_ASN1_BIT_STRING    ASN1_BIT_STRING;
 #endif
 
 #define OPENSSL_config	                  wolfSSL_OPENSSL_config
+#define OPENSSL_memdup                    wolfSSL_OPENSSL_memdup
 #define X509_get_ex_new_index             wolfSSL_X509_get_ex_new_index
 #define X509_get_ex_data                  wolfSSL_X509_get_ex_data
 #define X509_set_ex_data                  wolfSSL_X509_set_ex_data
@@ -789,6 +797,7 @@ typedef WOLFSSL_ASN1_BIT_STRING    ASN1_BIT_STRING;
 #define X509_check_host                   wolfSSL_X509_check_host
 #define i2a_ASN1_INTEGER                  wolfSSL_i2a_ASN1_INTEGER
 #define ERR_peek_error_line_data          wolfSSL_ERR_peek_error_line_data
+#define ERR_load_BIO_strings              wolfSSL_ERR_load_BIO_strings
 #define SSL_CTX_set_tlsext_ticket_key_cb  wolfSSL_CTX_set_tlsext_ticket_key_cb
 #define X509_email_free                   wolfSSL_X509_email_free
 #define X509_get1_ocsp                    wolfSSL_X509_get1_ocsp

wolfssl/ssl.h

@@ -122,6 +122,8 @@ typedef struct WOLFSSL_CERT_MANAGER WOLFSSL_CERT_MANAGER;
 typedef struct WOLFSSL_SOCKADDR     WOLFSSL_SOCKADDR;
 typedef struct WOLFSSL_CRL          WOLFSSL_CRL;
 
+typedef void  *WOLFSSL_X509_STORE_CTX_verify_cb; /* verify callback */
+
 /* redeclare guard */
 #define WOLFSSL_TYPES_DEFINED
 
@@ -273,6 +275,7 @@ typedef struct WOLFSSL_X509_STORE_CTX {
     int   discardSessionCerts;   /* so verify callback can flag for discard */
     int   totalCerts;            /* number of peer cert buffers */
     WOLFSSL_BUFFER_INFO* certs;  /* peer certs */
+    WOLFSSL_X509_STORE_CTX_verify_cb verify_cb; /* verify callback */
 } WOLFSSL_X509_STORE_CTX;
 
 typedef char* WOLFSSL_STRING;
@@ -632,6 +635,7 @@ WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl);
 
 WOLFSSL_API void wolfSSL_X509_free(WOLFSSL_X509*);
 WOLFSSL_API void wolfSSL_OPENSSL_free(void*);
+WOLFSSL_API void *wolfSSL_OPENSSL_malloc(size_t a);
 
 WOLFSSL_API int wolfSSL_OCSP_parse_url(char* url, char** host, char** port,
                                      char** path, int* ssl);
@@ -726,7 +730,8 @@ WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
                                                         WOLFSSL_X509_STORE_CTX*);
 WOLFSSL_API int   wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX*);
 WOLFSSL_API int   wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX*);
-
+WOLFSSL_API void  wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx,
+                                  WOLFSSL_X509_STORE_CTX_verify_cb verify_cb);
 WOLFSSL_API char*       wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME*, char*, int);
 WOLFSSL_API WOLFSSL_X509_NAME*  wolfSSL_X509_get_issuer_name(WOLFSSL_X509*);
 WOLFSSL_API WOLFSSL_X509_NAME*  wolfSSL_X509_get_subject_name(WOLFSSL_X509*);
@@ -874,8 +879,9 @@ WOLFSSL_API int  wolfSSL_CTX_add_client_CA(WOLFSSL_CTX*, WOLFSSL_X509*);
 WOLFSSL_API int  wolfSSL_CTX_set_srp_password(WOLFSSL_CTX*, char*);
 WOLFSSL_API int  wolfSSL_CTX_set_srp_username(WOLFSSL_CTX*, char*);
 
-WOLFSSL_API unsigned long wolfSSL_set_options(WOLFSSL *s, unsigned long op);
-WOLFSSL_API unsigned long wolfSSL_get_options(const WOLFSSL *s);
+WOLFSSL_API long wolfSSL_set_options(WOLFSSL *s, long op);
+WOLFSSL_API long wolfSSL_get_options(const WOLFSSL *s);
+WOLFSSL_API long wolfSSL_clear_options(WOLFSSL *s,  long op);
 WOLFSSL_API long wolfSSL_clear_num_renegotiations(WOLFSSL *s);
 WOLFSSL_API long wolfSSL_total_renegotiations(WOLFSSL *s);
 WOLFSSL_API long wolfSSL_set_tmp_dh(WOLFSSL *s, WOLFSSL_DH *dh);
@@ -1238,6 +1244,9 @@ WOLFSSL_API int  wolfSSL_RAND_status(void);
 WOLFSSL_API int  wolfSSL_RAND_bytes(unsigned char* buf, int num);
 WOLFSSL_API WOLFSSL_METHOD *wolfSSLv23_server_method(void);
 WOLFSSL_API long wolfSSL_CTX_set_options(WOLFSSL_CTX*, long);
+WOLFSSL_API long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx);
+WOLFSSL_API long wolfSSL_CTX_clear_options(WOLFSSL_CTX*, long);
+
 #ifndef NO_CERTS
   WOLFSSL_API int  wolfSSL_CTX_check_private_key(WOLFSSL_CTX*);
 #endif /* !NO_CERTS */
@@ -1259,6 +1268,7 @@ WOLFSSL_API int  wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX*);
 WOLFSSL_API int  wolfSSL_CTX_set_session_id_context(WOLFSSL_CTX*,
                                             const unsigned char*, unsigned int);
 WOLFSSL_API WOLFSSL_X509* wolfSSL_get_peer_certificate(WOLFSSL* ssl);
+WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL*);
 
 WOLFSSL_API int wolfSSL_want_read(WOLFSSL*);
 WOLFSSL_API int wolfSSL_want_write(WOLFSSL*);
@@ -2370,9 +2380,6 @@ WOLFSSL_API WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bp,
 WOLFSSL_API WOLFSSL_DSA *wolfSSL_PEM_read_bio_DSAparams(WOLFSSL_BIO *bp,
     WOLFSSL_DSA **x, pem_password_cb *cb, void *u);
 WOLFSSL_API int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x);
-WOLFSSL_API long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx);
-
-
 
 #endif /* HAVE_STUNNEL || HAVE_LIGHTY */
 
@@ -2427,8 +2434,6 @@ WOLFSSL_API void* wolfSSL_sk_X509_NAME_value(const WOLF_STACK_OF(WOLFSSL_X509_NA
 
 WOLFSSL_API void* wolfSSL_sk_X509_value(WOLF_STACK_OF(WOLFSSL_X509)*, int);
 
-WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL*);
-
 WOLFSSL_API void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION*, int);
 
 WOLFSSL_API int   wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION*, int, void*);
@@ -2463,8 +2468,6 @@ WOLFSSL_API void WOLFSSL_ERR_remove_thread_state(void*);
 WOLFSSL_API void wolfSSL_print_all_errors_fp(XFILE *fp);
 #endif
 
-WOLFSSL_API long wolfSSL_CTX_clear_options(WOLFSSL_CTX*, long);
-
 WOLFSSL_API void wolfSSL_THREADID_set_callback(void (*threadid_func)(void*));
 
 WOLFSSL_API void wolfSSL_THREADID_set_numeric(void* id, unsigned long val);
@@ -2502,13 +2505,19 @@ typedef void (*SSL_Msg_Cb)(int write_p, int version, int content_type,
 
 WOLFSSL_API int wolfSSL_CTX_set_msg_callback(WOLFSSL_CTX *ctx, SSL_Msg_Cb cb);
 WOLFSSL_API int wolfSSL_set_msg_callback(WOLFSSL *ssl, SSL_Msg_Cb cb);
-WOLFSSL_API int wolfSSL_CTX_set_msg_callback_arg(WOLFSSL_CTX *ctx, void* arg);
-WOLFSSL_API int wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg);
+WOLFSSL_API void wolfSSL_CTX_set_msg_callback_arg(WOLFSSL_CTX *ctx, void* arg);
+WOLFSSL_API void wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg);
+
 #endif
 
 #ifdef OPENSSL_EXTRA
 WOLFSSL_API unsigned long wolfSSL_ERR_peek_error_line_data(const char **file,
     int *line, const char **data, int *flags);
+WOLFSSL_API int wolfSSL_CTX_set_alpn_protos(WOLFSSL_CTX *ctx,
+    const unsigned char *protos, unsigned int protos_len);
+WOLFSSL_API void *wolfSSL_OPENSSL_memdup(const void *data,
+    size_t siz, const char* file, int line);
+WOLFSSL_API void wolfSSL_ERR_load_BIO_strings(void);
 #endif
 
 #if defined WOLFSSL_NGINX || defined WOLFSSL_HAPROXY

wolfssl/wolfcrypt/memory.h

@@ -97,7 +97,7 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb*,
         #ifndef SESSION_CERTS
             #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,16128
         #else
-            #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,21056
+            #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,21072
         #endif
     #endif
     #ifndef WOLFMEM_DIST