wolfSSL
diff --git a/‎scripts/crl-revoked.test‎
Lines changed: 3 additions & 2 deletions b/‎scripts/crl-revoked.test‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎src/internal.c‎
Lines changed: 28 additions & 4 deletions b/‎src/internal.c‎
Lines changed: 28 additions & 4 deletions
diff --git a/‎src/ssl.c‎
Lines changed: 56 additions & 18 deletions b/‎src/ssl.c‎
Lines changed: 56 additions & 18 deletions
diff --git a/‎src/x509.c‎
Lines changed: 3 additions & 2 deletions b/‎src/x509.c‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎src/x509_str.c‎
Lines changed: 10 additions & 3 deletions b/‎src/x509_str.c‎
Lines changed: 10 additions & 3 deletions
@@ -22,6 +22,7 @@ cp -rp . $RUNNING_DIR/.
 cd $RUNNING_DIR
 
 revocation_code="-361"
+revocation_code_openssl="23"
 exit_code=1
 counter=0
 # need a unique resume port since may run the same time as testsuite
@@ -112,7 +113,7 @@ run_test() {
     server_result=$?
 
     case  "$capture_out" in
-    *$revocation_code*)
+    *"$revocation_code"*|*"$revocation_code_openssl"*)
         # only exit with zero on detection of the expected error code
         echo ""
         echo "Successful Revocation!!!!"
@@ -178,7 +179,7 @@ run_hashdir_test() {
   server_result=$?
 
   case  "$capture_out" in
-    *$revocation_code*)
+    *"$revocation_code"*|*"$revocation_code_openssl"*)
         # only exit with zero on detection of the expected error code
         echo ""
         echo "Successful Revocation!!!! with hash dir"
 
@@ -185,8 +185,13 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
 
 #endif /* !WOLFSSL_NO_TLS12 */
 
-#ifndef NO_WOLFSSL_SERVER
-    #if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
+#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SESSION_TICKET)
+    #if defined(WOLFSSL_HAPROXY)
+        #define SSL_TICKET_CTX(ssl) ssl->initial_ctx->ticketEncCtx
+    #else
+        #define SSL_TICKET_CTX(ssl) ssl->ctx->ticketEncCtx
+    #endif
+    #if !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
         static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx,
                                        TicketEncCbCtx* keyCtx);
         static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx);
@@ -6213,6 +6218,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     if (!newSSL) {
         WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx.");
         wolfSSL_CTX_free(ssl->ctx);
+#if defined(WOLFSSL_HAPROXY)
+        wolfSSL_CTX_free(ssl->initial_ctx);
+#endif
     }
 
     /* increment CTX reference count */
@@ -6229,6 +6237,20 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     ssl->ctx     = ctx; /* only for passing to calls, options could change */
     /* Don't change version on a SSL object that has already started a
      * handshake */
+#if defined(WOLFSSL_HAPROXY)
+    ret = wolfSSL_CTX_up_ref(ctx);
+    if (ret == WOLFSSL_SUCCESS) {
+        ssl->initial_ctx = ctx; /* Save access to session key materials */
+    }
+    else {
+    #ifdef WOLFSSL_REFCNT_ERROR_RETURN
+        return ret;
+    #else
+        (void)ret;
+    #endif
+    }
+
+#endif
     if (!ssl->msgsReceived.got_client_hello &&
             !ssl->msgsReceived.got_server_hello)
         ssl->version = ctx->method->version;
@@ -23135,6 +23157,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
 #ifdef OPENSSL_EXTRA
     case 0 :
         return "ok";
+    case -WOLFSSL_X509_V_ERR_CERT_REVOKED :
+        return "certificate revoked";
 #endif
 
     case UNSUPPORTED_SUITE :
@@ -34639,7 +34663,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             if (error == 0) {
                 ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac,
                         1, et->enc_ticket, sizeof(InternalTicket), &encLen,
-                        ssl->ctx->ticketEncCtx);
+                        SSL_TICKET_CTX(ssl));
             }
             else {
                 ret = WOLFSSL_TICKET_RET_FATAL;
@@ -34764,7 +34788,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             ret = ssl->ctx->ticketEncCb((WOLFSSL*)ssl, et->key_name, et->iv,
                                     et->enc_ticket + inLen, 0,
                                     et->enc_ticket, inLen, &outLen,
-                                    ssl->ctx->ticketEncCtx);
+                                    SSL_TICKET_CTX(ssl));
         }
         if (ret != WOLFSSL_TICKET_RET_OK) {
         #ifdef WOLFSSL_ASYNC_CRYPT
 
@@ -4509,7 +4509,11 @@ int wolfSSL_get_error(WOLFSSL* ssl, int ret)
         return WOLFSSL_ERROR_WANT_WRITE;        /* convert to OpenSSL type */
     else if (ssl->error == ZERO_RETURN || ssl->options.shutdownDone)
         return WOLFSSL_ERROR_ZERO_RETURN;       /* convert to OpenSSL type */
-    return ssl->error;
+#if defined(WOLFSSL_HAPROXY)
+    return GetX509Error(ssl->error);
+#else
+    return (ssl->error);
+#endif
 }
 
 
@@ -8152,7 +8156,8 @@ int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm,
         return BAD_FUNC_ARG;
 
     if (cm->crl == NULL) {
-        if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
+        if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK) !=
+                                         WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("Enable CRL failed");
             return WOLFSSL_FATAL_ERROR;
         }
@@ -8204,11 +8209,21 @@ int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options)
 {
     int ret = WOLFSSL_SUCCESS;
 
-    (void)options;
-
     WOLFSSL_ENTER("wolfSSL_CertManagerEnableCRL");
     if (cm == NULL)
         return BAD_FUNC_ARG;
+#if defined(OPENSSL_COMPATIBLE_DEFAULTS)
+    if (options == 0) {
+
+        /* Turn off doing Leaf CRL check */
+        cm->crlEnabled = 0;
+        /* Turn off all checks */
+        cm->crlCheckAll = 0;
+        return ret;
+    }
+#else
+    (void)options;
+#endif
 
     #ifdef HAVE_CRL
         if (cm->crl == NULL) {
@@ -8228,10 +8243,15 @@ int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options)
             cm->crl->crlIOCb = EmbedCrlLookup;
         #endif
         }
-
-        cm->crlEnabled = 1;
-        if (options & WOLFSSL_CRL_CHECKALL)
-            cm->crlCheckAll = 1;
+#if defined(OPENSSL_COMPATIBLE_DEFAULTS)
+        if ((options & WOLFSSL_CRL_CHECKALL) ||
+            (options & WOLFSSL_CRL_CHECK))
+#endif
+        {
+            cm->crlEnabled = 1;
+            if (options & WOLFSSL_CRL_CHECKALL)
+                cm->crlCheckAll = 1;
+        }
     #else
         ret = NOT_COMPILED_IN;
     #endif
@@ -9431,7 +9451,8 @@ int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm, const char* path,
         return BAD_FUNC_ARG;
 
     if (cm->crl == NULL) {
-        if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
+        if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK)
+            != WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("Enable CRL failed");
             return WOLFSSL_FATAL_ERROR;
         }
@@ -9448,7 +9469,8 @@ int wolfSSL_CertManagerLoadCRLFile(WOLFSSL_CERT_MANAGER* cm, const char* file,
         return BAD_FUNC_ARG;
 
     if (cm->crl == NULL) {
-        if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
+        if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK)
+            != WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("Enable CRL failed");
             return WOLFSSL_FATAL_ERROR;
         }
@@ -14494,12 +14516,17 @@ void SetupSession(WOLFSSL* ssl)
 
     WOLFSSL_ENTER("SetupSession");
 
-    if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL &&
-            !session->haveAltSessionID) {
+    if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) {
         /* Make sure the session ID is available when the user calls any
          * get_session API */
-        XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN);
-        session->sessionIDSz = ssl->arrays->sessionIDSz;
+        if (!session->haveAltSessionID) {
+            XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN);
+            session->sessionIDSz = ssl->arrays->sessionIDSz;
+        }
+        else {
+            XMEMCPY(session->sessionID, session->altSessionID, ID_LEN);
+            session->sessionIDSz = ID_LEN;
+        }
     }
     session->side = (byte)ssl->options.side;
     if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL)
@@ -14904,7 +14931,7 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)
     if (SslSessionCacheOff(ssl, ssl->session))
         return WOLFSSL_FAILURE;
 
-    if (ssl->options.haveSessionId == 0)
+    if (ssl->options.haveSessionId == 0 && !ssl->session->haveAltSessionID)
         return WOLFSSL_FAILURE;
 
 #ifdef HAVE_SESSION_TICKET
@@ -14913,7 +14940,8 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)
 #endif
 
     XMEMSET(bogusID, 0, sizeof(bogusID));
-    if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL)
+    if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL
+            && !ssl->session->haveAltSessionID)
         id = ssl->arrays->sessionID;
     else if (ssl->session->haveAltSessionID) {
         id = ssl->session->altSessionID;
@@ -23116,8 +23144,9 @@ int wolfSSL_ERR_GET_REASON(unsigned long err)
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
     /* Nginx looks for this error to know to stop parsing certificates.
      * Same for HAProxy. */
-    if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE)
-        || (err & 0xFFFFFFL) == -ASN_NO_PEM_HEADER)
+    if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE) ||
+       ((err & 0xFFFFFFL) == -ASN_NO_PEM_HEADER) ||
+       ((err & 0xFFFL) == PEM_R_NO_START_LINE ))
         return PEM_R_NO_START_LINE;
     if (err == ((ERR_LIB_SSL << 24) | -SSL_R_HTTP_REQUEST))
         return SSL_R_HTTP_REQUEST;
@@ -31248,6 +31277,9 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
 #endif
     if (ssl->ctx) {
         wolfSSL_CTX_free(ssl->ctx);
+#if defined(WOLFSSL_HAPROXY)
+        wolfSSL_CTX_free(ssl->initial_ctx);
+#endif
     }
     ssl->ctx = ctx;
 
@@ -31450,6 +31482,12 @@ const byte* wolfSSL_SESSION_get_id(const WOLFSSL_SESSION* sess,
         WOLFSSL_MSG("Bad func args. Please provide idLen");
         return NULL;
     }
+#ifdef HAVE_SESSION_TICKET
+    if (sess->haveAltSessionID) {
+        *idLen = ID_LEN;
+        return sess->altSessionID;
+    }
+#endif
     *idLen = sess->sessionIDSz;
     return sess->sessionID;
 }
 
@@ -7028,7 +7028,8 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
             WOLFSSL_CERT_MANAGER* cm = lookup->store->cm;
 
             if (cm->crl == NULL) {
-                if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
+                if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK)
+                    != WOLFSSL_SUCCESS) {
                     WOLFSSL_MSG("Enable CRL failed");
                     goto end;
                 }
@@ -12440,7 +12441,7 @@ WOLF_STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list(
 
     for (i = 0; i < num; i++) {
         name = wolfSSL_X509_NAME_dup(wolfSSL_sk_X509_NAME_value(sk, i));
-        if (name == NULL || 0 != wolfSSL_sk_X509_NAME_push(copy, name)) {
+        if (name == NULL || WOLFSSL_SUCCESS != wolfSSL_sk_X509_NAME_push(copy, name)) {
             WOLFSSL_MSG("Memory error");
             wolfSSL_sk_X509_NAME_pop_free(copy, wolfSSL_X509_NAME_free);
             return NULL;
 
@@ -170,7 +170,7 @@ int GetX509Error(int e)
         case ASN_BEFORE_DATE_E:
             return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
         case ASN_AFTER_DATE_E:
-            return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
+            return WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED;
         case ASN_NO_SIGNER_E: /* get issuer error if no CA found locally */
             return WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
         case ASN_SELF_SIGNED_E:
@@ -183,6 +183,8 @@ int GetX509Error(int e)
         case ASN_SIG_HASH_E:
         case ASN_SIG_KEY_E:
             return WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE;
+        case CRL_CERT_REVOKED:
+            return WOLFSSL_X509_V_ERR_CERT_REVOKED;
         default:
 #ifdef HAVE_WOLFSSL_MSG_EX
             WOLFSSL_MSG_EX("Error not configured or implemented yet: %d", e);
@@ -980,7 +982,11 @@ int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store, unsigned long flag)
     if ((flag & WOLFSSL_CRL_CHECKALL) || (flag & WOLFSSL_CRL_CHECK)) {
         ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag);
     }
-
+#if defined(OPENSSL_COMPATIBLE_DEFAULTS)
+    else if (flag == 0) {
+        ret = wolfSSL_CertManagerDisableCRL(store->cm);
+    }
+#endif
     return ret;
 }
 
@@ -1023,7 +1029,8 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str,
 
 #ifdef HAVE_CRL
     if (str->cm->crl == NULL) {
-        if (wolfSSL_CertManagerEnableCRL(str->cm, 0) != WOLFSSL_SUCCESS) {
+        if (wolfSSL_CertManagerEnableCRL(str->cm, WOLFSSL_CRL_CHECK)
+            != WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("Enable CRL failed");
             wolfSSL_CTX_free(ctx);
             return WOLFSSL_FAILURE;