wolfssl: update gencrypto

cmake/lws_config.h.in

@@ -47,6 +47,7 @@
 #cmakedefine LWS_HAVE_EVP_aes_192_cfb128
 #cmakedefine LWS_HAVE_EVP_aes_256_cfb8
 #cmakedefine LWS_HAVE_EVP_aes_256_cfb128
+#cmakedefine LWS_HAVE_EVP_aes_128_ofb
 #cmakedefine LWS_HAVE_EVP_aes_128_xts
 #cmakedefine LWS_HAVE_EVP_PKEY_new_raw_private_key
 #cmakedefine LWS_HAVE_EXECVPE

lib/tls/CMakeLists.txt

@@ -318,6 +318,12 @@ CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_192_cfb8 LWS_HAVE_EVP_aes_192_cfb8 PARENT_
 CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_192_cfb128 LWS_HAVE_EVP_aes_192_cfb128 PARENT_SCOPE)
 CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_256_cfb8 LWS_HAVE_EVP_aes_256_cfb8 PARENT_SCOPE)
 CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_256_cfb128 LWS_HAVE_EVP_aes_256_cfb128 PARENT_SCOPE)
+CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_xts LWS_HAVE_EVP_aes_128_xts PARENT_SCOPE)
+CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ofb LWS_HAVE_EVP_aes_128_ofb PARENT_SCOPE)
+CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ecb LWS_HAVE_EVP_aes_128_ecb PARENT_SCOPE)
+CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ctr LWS_HAVE_EVP_aes_128_ctr PARENT_SCOPE)
+
+
 CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_xts LWS_HAVE_EVP_aes_128_xts PARENT_SCOPE)
 CHECK_FUNCTION_EXISTS(${VARIA}RSA_verify_pss_mgf1 LWS_HAVE_RSA_verify_pss_mgf1 PARENT_SCOPE)
 CHECK_FUNCTION_EXISTS(${VARIA}HMAC_CTX_new LWS_HAVE_HMAC_CTX_new PARENT_SCOPE)

lib/tls/openssl/lws-genaes.c

@@ -79,19 +79,27 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op,
 			ctx->cipher = EVP_aes_128_cfb8();
 			break;
 #endif
+#if defined(LWS_HAVE_EVP_aes_128_ctr)
 		case LWS_GAESM_CTR:
 			ctx->cipher = EVP_aes_128_ctr();
 			break;
+#endif
+#if defined(LWS_HAVE_EVP_aes_128_ecb)
 		case LWS_GAESM_ECB:
 			ctx->cipher = EVP_aes_128_ecb();
 			break;
+#endif
+#if defined(LWS_HAVE_EVP_aes_128_ofb)
 		case LWS_GAESM_OFB:
 			ctx->cipher = EVP_aes_128_ofb();
 			break;
+#endif
+#if defined(LWS_HAVE_EVP_aes_128_xts)
 		case LWS_GAESM_XTS:
 			lwsl_err("%s: AES XTS requires double-length key\n",
 				 __func__);
 			break;
+#endif
 		case LWS_GAESM_GCM:
 			ctx->cipher = EVP_aes_128_gcm();
 			break;
@@ -126,18 +134,26 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op,
 			ctx->cipher = EVP_aes_192_cfb8();
 			break;
 #endif
+#if defined(LWS_HAVE_EVP_aes_128_ctr)
 		case LWS_GAESM_CTR:
 			ctx->cipher = EVP_aes_192_ctr();
 			break;
+#endif
+#if defined(LWS_HAVE_EVP_aes_128_ecb)
 		case LWS_GAESM_ECB:
 			ctx->cipher = EVP_aes_192_ecb();
 			break;
+#endif
+#if defined(LWS_HAVE_EVP_aes_128_ofb)
 		case LWS_GAESM_OFB:
 			ctx->cipher = EVP_aes_192_ofb();
 			break;
+#endif
+#if defined(LWS_HAVE_EVP_aes_128_xts)
 		case LWS_GAESM_XTS:
 			lwsl_err("%s: AES XTS 192 invalid\n", __func__);
 			goto bail;
+#endif
 		case LWS_GAESM_GCM:
 			ctx->cipher = EVP_aes_192_gcm();
 			break;
@@ -172,15 +188,21 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op,
 			ctx->cipher = EVP_aes_256_cfb8();
 			break;
 #endif
+#if defined(LWS_HAVE_EVP_aes_128_ctr)
 		case LWS_GAESM_CTR:
 			ctx->cipher = EVP_aes_256_ctr();
 			break;
+#endif
+#if defined(LWS_HAVE_EVP_aes_128_ecb)
 		case LWS_GAESM_ECB:
 			ctx->cipher = EVP_aes_256_ecb();
 			break;
+#endif
+#if defined(LWS_HAVE_EVP_aes_128_ofb)
 		case LWS_GAESM_OFB:
 			ctx->cipher = EVP_aes_256_ofb();
 			break;
+#endif
 #if defined(LWS_HAVE_EVP_aes_128_xts)
 		case LWS_GAESM_XTS:
 			ctx->cipher = EVP_aes_128_xts();
@@ -196,8 +218,10 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op,
 
 	case 512 / 8:
 		switch (mode) {
+#if defined(LWS_HAVE_EVP_aes_128_xts)
 		case LWS_GAESM_XTS:
 			ctx->cipher = EVP_aes_256_xts();
+#endif
 			break;
 		default:
 			goto bail;

lib/tls/openssl/lws-genec.c

@@ -34,11 +34,22 @@
 #error "You probably need LWS_SUPPRESS_DEPRECATED_API_WARNINGS"
 #endif
 
+#if defined(USE_WOLFSSL)
+#include "openssl/ecdh.h"
+#endif
+
 /*
  * Care: many openssl apis return 1 for success.  These are translated to the
  * lws convention of 0 for success.
  */
 
+#if defined(USE_WOLFSSL)
+EVP_PKEY * EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *p)
+{
+	return p->pkey;
+}
+#endif
+
 #if !defined(LWS_HAVE_ECDSA_SIG_set0)
 static void
 ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
@@ -66,9 +77,11 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
 int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
 {
     int i;
+#if !defined(USE_WOLFSSL)
     BN_ULONG l;
+#endif
 
-#if !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(USE_WOLFSSL)
     bn_check_top(a);
 #endif
     i = BN_num_bytes(a);
@@ -78,10 +91,14 @@ int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
         memset(to, 0, (size_t)(tolen - i));
         to += tolen - i;
     }
+#if defined(USE_WOLFSSL)
+    BN_bn2bin(a, to);
+#else
     while (i--) {
         l = a->d[i / BN_BYTES];
         *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
     }
+#endif
     return tolen;
 }
 #endif
@@ -132,7 +149,22 @@ lws_genec_eckey_import(int nid, EVP_PKEY *pkey, struct lws_gencrypto_keyelem *el
 		goto bail1;
 	}
 
+	/*
+	 * EC_KEY_set_public_key_affine_coordinates sets the public key for
+	 * key based on its affine co-ordinates, i.e. it constructs an
+	 * EC_POINT object based on the supplied x and y values and sets
+	 * the public key to be this EC_POINT. It will also performs
+	 * certain sanity checks on the key to confirm that it is valid.
+	 */
+
+#if defined(USE_WOLFSSL)
+	n = wolfSSL_EC_POINT_set_affine_coordinates_GFp(ec->group,
+                                                ec->pub_key,
+                                                bn_x, bn_y,
+                                                NULL);
+#else
 	n = EC_KEY_set_public_key_affine_coordinates(ec, bn_x, bn_y);
+#endif
 	BN_free(bn_x);
 	BN_free(bn_y);
 	if (n != 1) {
@@ -160,10 +192,12 @@ lws_genec_eckey_import(int nid, EVP_PKEY *pkey, struct lws_gencrypto_keyelem *el
 
 	/* explicitly confirm the key pieces are consistent */
 
+#if !defined(USE_WOLFSSL)
 	if (EC_KEY_check_key(ec) != 1) {
 		lwsl_err("%s: EC_KEY_set_private_key fail\n", __func__);
 		goto bail;
 	}
+#endif
 
 	n = EVP_PKEY_assign_EC_KEY(pkey, ec);
 	if (n != 1) {
@@ -660,7 +694,12 @@ lws_genecdh_compute_shared_secret(struct lws_genec_ctx *ctx, uint8_t *ss,
 
 	len = (EC_GROUP_get_degree(EC_KEY_get0_group(eckey[LDHS_OURS])) + 7) / 8;
 	if (len <= *ss_len) {
-		*ss_len = ECDH_compute_key(ss, (unsigned int)len,
+#if defined(USE_WOLFSSL)
+		*ss_len = wolfSSL_ECDH_compute_key(
+#else
+		*ss_len = ECDH_compute_key(
+#endif
+				ss, (unsigned int)len,
 				EC_KEY_get0_public_key(eckey[LDHS_THEIRS]),
 				eckey[LDHS_OURS], NULL);
 		ret = -(*ss_len < 0);

lib/tls/openssl/lws-genhash.c

@@ -217,9 +217,9 @@ int
 lws_genhmac_update(struct lws_genhmac_ctx *ctx, const void *in, size_t len)
 {
 #if defined(LWS_HAVE_HMAC_CTX_new)
-	if (HMAC_Update(ctx->ctx, in, len) != 1)
+	if (HMAC_Update(ctx->ctx, in, (int)len) != 1)
 #else
-	if (HMAC_Update(&ctx->ctx, in, len) != 1)
+	if (HMAC_Update(&ctx->ctx, in, (int)len) != 1)
 #endif
 		return -1;
 

lib/tls/openssl/lws-genrsa.c

@@ -111,7 +111,7 @@ lws_genrsa_create(struct lws_genrsa_ctx *ctx, struct lws_gencrypto_keyelem *el,
 		goto bail;
 	}
 
-#if defined(LWS_HAVE_RSA_SET0_KEY)
+#if defined(LWS_HAVE_RSA_SET0_KEY) && !defined(USE_WOLFSSL) 
 	if (RSA_set0_key(ctx->rsa, ctx->bn[LWS_GENCRYPTO_RSA_KEYEL_N],
 			 ctx->bn[LWS_GENCRYPTO_RSA_KEYEL_E],
 			 ctx->bn[LWS_GENCRYPTO_RSA_KEYEL_D]) != 1) {
@@ -177,7 +177,7 @@ lws_genrsa_new_keypair(struct lws_context *context, struct lws_genrsa_ctx *ctx,
 	if (n != 1)
 		goto cleanup_1;
 
-#if defined(LWS_HAVE_RSA_SET0_KEY)
+#if defined(LWS_HAVE_RSA_SET0_KEY) && !defined(USE_WOLFSSL)
 	{
 		const BIGNUM *mpi[5];
 
@@ -363,7 +363,11 @@ lws_genrsa_hash_sign(struct lws_genrsa_ctx *ctx, const uint8_t *in,
 			goto bail;
 
 		if (EVP_DigestSignInit(mdctx, NULL, md, NULL,
+#if defined(USE_WOLFSSL)
+					ctx->ctx->pkey)) {
+#else
 				       EVP_PKEY_CTX_get0_pkey(ctx->ctx))) {
+#endif
 			lwsl_err("%s: EVP_DigestSignInit failed\n", __func__);
 
 			goto bail;