From c950a6aa462631dca1f30fcd512947df2dce7f60 Mon Sep 17 00:00:00 2001
From: Colton Willey <colton@wolfssl.com>
Date: Mon, 20 Apr 2026 12:29:26 -0700
Subject: [PATCH 1/2] zephyr: changes needed for Zephyr 4.3 default TLS support

Follow-up to #7731 ("Changes needed for default TLS support in zephyr
kernel"). Zephyr 4.3's TLS socket integration uses three additional
wolfSSL features that were not needed by the 3.7 integration, plus an
extension to the native_sim time-source gates introduced in #7731.

native_sim timer gates (src/internal.c, wolfcrypt/src/wc_port.c):
  Extend the !CONFIG_BOARD_NATIVE_POSIX gate in LowResTimer() and the
  CONFIG_BOARD_NATIVE_POSIX RTC path in z_time() to also cover
  CONFIG_BOARD_NATIVE_SIM. Zephyr 4.3 renamed the simulator board from
  native_posix to native_sim; without this, k_cpu_idle() on native_sim
  advances simulated time during DTLS retransmit loops and the RTC path
  falls through to uptime-since-boot. Behavior on native_posix is
  unchanged.

New Kconfig options (zephyr/Kconfig, zephyr/user_settings.h):
  CONFIG_WOLFSSL_SESSION_EXPORT   -> HAVE_EXT_CACHE
    Required by consumers that serialize TLS session state across
    connections via wolfSSL_i2d_SSL_SESSION / wolfSSL_d2i_SSL_SESSION.
  CONFIG_WOLFSSL_KEEP_PEER_CERT   -> KEEP_PEER_CERT
    Retain the peer certificate after handshake so the application
    layer can inspect it via wolfSSL_get_peer_certificate.
  CONFIG_WOLFSSL_ALWAYS_VERIFY_CB -> WOLFSSL_ALWAYS_VERIFY_CB
    Invoke an application-set verify callback on successful chain
    validation in addition to validation failures.

All three are default-off; customers opt in the same way they do for
the existing CONFIG_WOLFSSL_DTLS / ALPN / PSK feature options.

.wolfssl_known_macro_extras: register HAVE_EXT_CACHE.
---
 .wolfssl_known_macro_extras |  1 +
 src/internal.c              |  3 ++-
 wolfcrypt/src/wc_port.c     |  6 +++---
 zephyr/Kconfig              | 15 +++++++++++++++
 zephyr/user_settings.h      | 15 +++++++++++++++
 5 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index 3943d477390..9dfce8514c0 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -279,6 +279,7 @@ HAVE_ECC512
 HAVE_ECC_CDH_CAST
 HAVE_ECC_SM2
 HAVE_ESP_CLK
+HAVE_EXT_CACHE
 HAVE_FIPS_VERSION_PORT
 HAVE_FUZZER
 HAVE_INTEL_MULX
diff --git a/src/internal.c b/src/internal.c
index 2ba6cabc157..9280884e518 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -10602,7 +10602,8 @@ ProtocolVersion MakeDTLSv1_3(void)
     word32 LowResTimer(void)
     {
         int64_t t;
-    #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX)
+    #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX) \
+                                   && !defined(CONFIG_BOARD_NATIVE_SIM)
         k_cpu_idle();
     #endif
         t = k_uptime_get(); /* returns current uptime in milliseconds */
diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c
index ba740423ea6..c34bb4c18a0 100644
--- a/wolfcrypt/src/wc_port.c
+++ b/wolfcrypt/src/wc_port.c
@@ -215,7 +215,7 @@ Threading/Mutex options:
 #endif
 
 #if defined(WOLFSSL_ZEPHYR)
-#if defined(CONFIG_BOARD_NATIVE_POSIX)
+#if defined(CONFIG_BOARD_NATIVE_POSIX) || defined(CONFIG_BOARD_NATIVE_SIM)
 #include "native_rtc.h"
 #define CONFIG_RTC
 #endif
@@ -4088,7 +4088,7 @@ time_t z_time(time_t * timer)
     #if defined(CONFIG_RTC) && \
         (defined(CONFIG_PICOLIBC) || defined(CONFIG_NEWLIB_LIBC))
 
-    #if defined(CONFIG_BOARD_NATIVE_POSIX)
+    #if defined(CONFIG_BOARD_NATIVE_POSIX) || defined(CONFIG_BOARD_NATIVE_SIM)
 
     /* When using native sim, get time from simulator rtc */
     uint32_t nsec = 0;
@@ -4120,7 +4120,7 @@ time_t z_time(time_t * timer)
             return epochTime;
         }
     }
-    #endif /* defined(CONFIG_BOARD_NATIVE_POSIX) */
+    #endif /* CONFIG_BOARD_NATIVE_POSIX || CONFIG_BOARD_NATIVE_SIM */
     #endif
 
     /* Fallback to uptime since boot. This works for relative times, but
diff --git a/zephyr/Kconfig b/zephyr/Kconfig
index ff05e74d23b..fb6084893a4 100644
--- a/zephyr/Kconfig
+++ b/zephyr/Kconfig
@@ -98,6 +98,21 @@ config WOLFSSL_MAX_FRAGMENT_LEN
     Sets the maximum fragment length wolfSSL will use, values 1-6 correspond to enum values
     WOLFSSL_MFL_* in ssl.h
 
+config WOLFSSL_SESSION_EXPORT
+  bool "wolfSSL session export support"
+  help
+    Enable external session cache (HAVE_EXT_CACHE)
+
+config WOLFSSL_KEEP_PEER_CERT
+  bool "wolfSSL keep peer certificate support"
+  help
+    Retain peer certificate after handshake (KEEP_PEER_CERT)
+
+config WOLFSSL_ALWAYS_VERIFY_CB
+  bool "wolfSSL always invoke verify callback"
+  help
+    Invoke verify callback on success as well as failure (WOLFSSL_ALWAYS_VERIFY_CB)
+
 config WOLFCRYPT_ARMASM
 	bool "wolfCrypt ARM Assembly support"
 	depends on WOLFSSL_BUILTIN
diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h
index cc333bdaaa7..29aea487c8c 100644
--- a/zephyr/user_settings.h
+++ b/zephyr/user_settings.h
@@ -133,6 +133,21 @@ extern "C" {
     #define NO_SESSION_CACHE /* disable session resumption */
 #endif
 
+/* Session export (external session cache) */
+#if defined(CONFIG_WOLFSSL_SESSION_EXPORT)
+    #define HAVE_EXT_CACHE
+#endif
+
+/* Keep peer certificate after handshake */
+#if defined(CONFIG_WOLFSSL_KEEP_PEER_CERT)
+    #define KEEP_PEER_CERT
+#endif
+
+/* Always invoke verify callback (on success as well as failure) */
+#if defined(CONFIG_WOLFSSL_ALWAYS_VERIFY_CB)
+    #define WOLFSSL_ALWAYS_VERIFY_CB
+#endif
+
 /* DTLS */
 #if defined(CONFIG_WOLFSSL_DTLS)
     #define WOLFSSL_DTLS

From 008ca51cb514b9b67c2dcf93076884dee8f6dbd9 Mon Sep 17 00:00:00 2001
From: Colton Willey <colton@wolfssl.com>
Date: Fri, 24 Apr 2026 06:09:25 -0700
Subject: [PATCH 2/2] Add additional macros to known macro list

---
 .wolfssl_known_macro_extras | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index 9dfce8514c0..c84b3f72036 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -157,6 +157,7 @@ CONFIG_WOLFSSL
 CONFIG_WOLFSSL_ALLOW_TLS13
 CONFIG_WOLFSSL_ALPN
 CONFIG_WOLFSSL_ALT_CERT_CHAINS
+CONFIG_WOLFSSL_ALWAYS_VERIFY_CB
 CONFIG_WOLFSSL_APPLE_HOMEKIT
 CONFIG_WOLFSSL_ASN_ALLOW_0_SERIAL
 CONFIG_WOLFSSL_CERTIFICATE_BUNDLE
@@ -174,11 +175,13 @@ CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFMQTT_TEMPLATE
 CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
 CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE
 CONFIG_WOLFSSL_HKDF
+CONFIG_WOLFSSL_KEEP_PEER_CERT
 CONFIG_WOLFSSL_MAX_FRAGMENT_LEN
 CONFIG_WOLFSSL_MLKEM
 CONFIG_WOLFSSL_NO_ASN_STRICT
 CONFIG_WOLFSSL_PSK
 CONFIG_WOLFSSL_RSA_PSS
+CONFIG_WOLFSSL_SESSION_EXPORT
 CONFIG_WOLFSSL_TARGET_HOST
 CONFIG_WOLFSSL_TARGET_PORT
 CONFIG_WOLFSSL_TLS13_ENABLED