1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00

wolfssl: update gencrypto

This commit is contained in:
Andy Green 2021-09-07 19:52:32 +01:00
parent 0c94138fd3
commit a8a443e645
9 changed files with 129 additions and 24 deletions

View file

@ -47,7 +47,10 @@
#cmakedefine LWS_HAVE_EVP_aes_192_cfb128
#cmakedefine LWS_HAVE_EVP_aes_256_cfb8
#cmakedefine LWS_HAVE_EVP_aes_256_cfb128
#cmakedefine LWS_HAVE_EVP_aes_128_ofb
#cmakedefine LWS_HAVE_EVP_aes_128_xts
#cmakedefine LWS_HAVE_EVP_aes_128_ctr
#cmakedefine LWS_HAVE_EVP_aes_128_ecb
#cmakedefine LWS_HAVE_EVP_PKEY_new_raw_private_key
#cmakedefine LWS_HAVE_EXECVPE
#cmakedefine LWS_HAVE_LOCALTIME_R

View file

@ -327,6 +327,12 @@ CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_192_cfb8 LWS_HAVE_EVP_aes_192_cfb8 PARENT_
CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_192_cfb128 LWS_HAVE_EVP_aes_192_cfb128 PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_256_cfb8 LWS_HAVE_EVP_aes_256_cfb8 PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_256_cfb128 LWS_HAVE_EVP_aes_256_cfb128 PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_xts LWS_HAVE_EVP_aes_128_xts PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ofb LWS_HAVE_EVP_aes_128_ofb PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ecb LWS_HAVE_EVP_aes_128_ecb PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ctr LWS_HAVE_EVP_aes_128_ctr PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_xts LWS_HAVE_EVP_aes_128_xts PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(${VARIA}RSA_verify_pss_mgf1 LWS_HAVE_RSA_verify_pss_mgf1 PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(${VARIA}HMAC_CTX_new LWS_HAVE_HMAC_CTX_new PARENT_SCOPE)

View file

@ -79,19 +79,27 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op,
ctx->cipher = EVP_aes_128_cfb8();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_ctr)
case LWS_GAESM_CTR:
ctx->cipher = EVP_aes_128_ctr();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_ecb)
case LWS_GAESM_ECB:
ctx->cipher = EVP_aes_128_ecb();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_ofb)
case LWS_GAESM_OFB:
ctx->cipher = EVP_aes_128_ofb();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_xts)
case LWS_GAESM_XTS:
lwsl_err("%s: AES XTS requires double-length key\n",
__func__);
break;
#endif
case LWS_GAESM_GCM:
ctx->cipher = EVP_aes_128_gcm();
break;
@ -126,18 +134,26 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op,
ctx->cipher = EVP_aes_192_cfb8();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_ctr)
case LWS_GAESM_CTR:
ctx->cipher = EVP_aes_192_ctr();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_ecb)
case LWS_GAESM_ECB:
ctx->cipher = EVP_aes_192_ecb();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_ofb)
case LWS_GAESM_OFB:
ctx->cipher = EVP_aes_192_ofb();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_xts)
case LWS_GAESM_XTS:
lwsl_err("%s: AES XTS 192 invalid\n", __func__);
goto bail;
#endif
case LWS_GAESM_GCM:
ctx->cipher = EVP_aes_192_gcm();
break;
@ -172,15 +188,21 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op,
ctx->cipher = EVP_aes_256_cfb8();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_ctr)
case LWS_GAESM_CTR:
ctx->cipher = EVP_aes_256_ctr();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_ecb)
case LWS_GAESM_ECB:
ctx->cipher = EVP_aes_256_ecb();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_ofb)
case LWS_GAESM_OFB:
ctx->cipher = EVP_aes_256_ofb();
break;
#endif
#if defined(LWS_HAVE_EVP_aes_128_xts)
case LWS_GAESM_XTS:
ctx->cipher = EVP_aes_128_xts();
@ -196,8 +218,10 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op,
case 512 / 8:
switch (mode) {
#if defined(LWS_HAVE_EVP_aes_128_xts)
case LWS_GAESM_XTS:
ctx->cipher = EVP_aes_256_xts();
#endif
break;
default:
goto bail;

View file

@ -34,11 +34,22 @@
#error "You probably need LWS_SUPPRESS_DEPRECATED_API_WARNINGS"
#endif
#if defined(USE_WOLFSSL)
#include "openssl/ecdh.h"
#endif
/*
* Care: many openssl apis return 1 for success. These are translated to the
* lws convention of 0 for success.
*/
#if defined(USE_WOLFSSL)
EVP_PKEY * EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *p)
{
return p->pkey;
}
#endif
#if !defined(LWS_HAVE_ECDSA_SIG_set0)
static void
ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
@ -66,9 +77,11 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
{
int i;
#if !defined(USE_WOLFSSL)
BN_ULONG l;
#endif
#if !defined(LIBRESSL_VERSION_NUMBER)
#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(USE_WOLFSSL)
bn_check_top(a);
#endif
i = BN_num_bytes(a);
@ -78,10 +91,14 @@ int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
memset(to, 0, (size_t)(tolen - i));
to += tolen - i;
}
#if defined(USE_WOLFSSL)
BN_bn2bin(a, to);
#else
while (i--) {
l = a->d[i / BN_BYTES];
*(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
}
#endif
return tolen;
}
#endif
@ -133,7 +150,22 @@ lws_genec_eckey_import(int nid, EVP_PKEY *pkey,
goto bail1;
}
/*
* EC_KEY_set_public_key_affine_coordinates sets the public key for
* key based on its affine co-ordinates, i.e. it constructs an
* EC_POINT object based on the supplied x and y values and sets
* the public key to be this EC_POINT. It will also performs
* certain sanity checks on the key to confirm that it is valid.
*/
#if defined(USE_WOLFSSL)
n = wolfSSL_EC_POINT_set_affine_coordinates_GFp(ec->group,
ec->pub_key,
bn_x, bn_y,
NULL);
#else
n = EC_KEY_set_public_key_affine_coordinates(ec, bn_x, bn_y);
#endif
BN_free(bn_x);
BN_free(bn_y);
if (n != 1) {
@ -161,10 +193,12 @@ lws_genec_eckey_import(int nid, EVP_PKEY *pkey,
/* explicitly confirm the key pieces are consistent */
#if !defined(USE_WOLFSSL)
if (EC_KEY_check_key(ec) != 1) {
lwsl_err("%s: EC_KEY_set_private_key fail\n", __func__);
goto bail;
}
#endif
n = EVP_PKEY_assign_EC_KEY(pkey, ec);
if (n != 1) {
@ -663,7 +697,12 @@ lws_genecdh_compute_shared_secret(struct lws_genec_ctx *ctx, uint8_t *ss,
len = (EC_GROUP_get_degree(EC_KEY_get0_group(eckey[LDHS_OURS])) + 7) / 8;
if (len <= *ss_len) {
*ss_len = ECDH_compute_key(ss, (unsigned int)len,
#if defined(USE_WOLFSSL)
*ss_len = wolfSSL_ECDH_compute_key(
#else
*ss_len = ECDH_compute_key(
#endif
ss, (unsigned int)len,
EC_KEY_get0_public_key(eckey[LDHS_THEIRS]),
eckey[LDHS_OURS], NULL);
ret = -(*ss_len < 0);

View file

@ -26,6 +26,7 @@
*/
#include <private-lib-core.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslv.h>
/*
* Care: many openssl apis return 1 for success. These are translated to the
* lws convention of 0 for success.
@ -221,8 +222,12 @@ int
lws_genhmac_update(struct lws_genhmac_ctx *ctx, const void *in, size_t len)
{
#if defined(LWS_HAVE_HMAC_CTX_new)
#if defined(LIBRESSL_VERSION_NUMBER)
if (HMAC_Update(ctx->ctx, in, len) != 1)
#else
if (HMAC_Update(ctx->ctx, in, (int)len) != 1)
#endif
#else /* HMAC_CTX_new */
if (HMAC_Update(&ctx->ctx, in, len) != 1)
#endif
return -1;

View file

@ -112,7 +112,7 @@ lws_genrsa_create(struct lws_genrsa_ctx *ctx,
goto bail;
}
#if defined(LWS_HAVE_RSA_SET0_KEY)
#if defined(LWS_HAVE_RSA_SET0_KEY) && !defined(USE_WOLFSSL)
if (RSA_set0_key(ctx->rsa, ctx->bn[LWS_GENCRYPTO_RSA_KEYEL_N],
ctx->bn[LWS_GENCRYPTO_RSA_KEYEL_E],
ctx->bn[LWS_GENCRYPTO_RSA_KEYEL_D]) != 1) {
@ -178,7 +178,7 @@ lws_genrsa_new_keypair(struct lws_context *context, struct lws_genrsa_ctx *ctx,
if (n != 1)
goto cleanup_1;
#if defined(LWS_HAVE_RSA_SET0_KEY)
#if defined(LWS_HAVE_RSA_SET0_KEY) && !defined(USE_WOLFSSL)
{
const BIGNUM *mpi[5];
@ -365,7 +365,11 @@ lws_genrsa_hash_sign(struct lws_genrsa_ctx *ctx, const uint8_t *in,
goto bail;
if (EVP_DigestSignInit(mdctx, NULL, md, NULL,
#if defined(USE_WOLFSSL)
ctx->ctx->pkey)) {
#else
EVP_PKEY_CTX_get0_pkey(ctx->ctx))) {
#endif
lwsl_err("%s: EVP_DigestSignInit failed\n", __func__);
goto bail;

View file

@ -740,7 +740,7 @@ lws_x509_jwk_privkey_pem(struct lws_context *cx, struct lws_jwk *jwk,
goto bail;
}
#if defined(LWS_HAVE_RSA_SET0_KEY)
#if defined(LWS_HAVE_RSA_SET0_KEY) && !defined(USE_WOLFSSL)
RSA_get0_key(rsapriv, (const BIGNUM **)&dummy[0], /* n */
(const BIGNUM **)&dummy[1], /* e */
(const BIGNUM **)&mpi); /* d */

View file

@ -11,7 +11,7 @@ set(SRCS main.c lws-genaes.c lws-genec.c)
set(requirements 1)
require_lws_config(LWS_WITH_GENCRYPTO 1 requirements)
require_lws_config(LWS_WITH_JOSE 1 requirements)
require_lws_config(USE_WOLFSSL 0 requirements)
if (requirements)

View file

@ -9,6 +9,10 @@
#include <libwebsockets.h>
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CBC))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cbc))
static const uint8_t
/*
* produced with (plaintext.txt contains "test plaintext\0\0")
@ -101,7 +105,10 @@ bail:
return -1;
}
#endif
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CFB))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cfb128))
static const uint8_t
/*
* produced with (plaintext.txt contains "test plaintext\0\0")
@ -188,6 +195,10 @@ bail:
return -1;
}
#endif
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CFB))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cfb8))
static const uint8_t
/*
@ -272,7 +283,10 @@ bail:
return -1;
}
#endif
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CTR))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ctr))
static const uint8_t
/*
* produced with (plaintext.txt contains "test plaintext\0\0")
@ -365,7 +379,10 @@ bail:
return -1;
}
#endif
#if (defined(LWS_WITH_MBEDTLS)) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ecb))
static const uint8_t
/*
* produced with (plaintext.txt contains "test plaintext\0\0")
@ -449,10 +466,10 @@ bail:
return -1;
}
#endif
#if defined(MBEDTLS_CONFIG_H) && !defined(MBEDTLS_CIPHER_MODE_OFB)
#else
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_OFB))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ofb))
static const uint8_t
/*
* produced with (plaintext.txt contains "test plaintext\0\0")
@ -481,7 +498,6 @@ static const uint8_t
0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
}
;
static int
test_genaes_ofb(void)
{
@ -549,8 +565,8 @@ bail:
#endif
#if defined(MBEDTLS_CONFIG_H) && !defined(MBEDTLS_CIPHER_MODE_XTS)
#else
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_XTS))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_xts))
static const uint8_t
/*
@ -575,10 +591,10 @@ static const uint8_t
0x5f, 0x31, 0x9e, 0xcd, 0x33, 0x08, 0xa0, 0x44
}
;
static int
test_genaes_xts(void)
{
struct lws_genaes_ctx ctx;
struct lws_gencrypto_keyelem e;
uint8_t res[32], res1[32], data_unit[16];
@ -757,30 +773,38 @@ bail:
int
test_genaes(struct lws_context *context)
{
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CBC))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cbc))
if (test_genaes_cbc())
goto bail;
#endif
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CFB))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cfb128))
if (test_genaes_cfb128())
goto bail;
#endif
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CFB))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cfb8))
if (test_genaes_cfb8())
goto bail;
#endif
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CTR))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ctr))
if (test_genaes_ctr())
goto bail;
#endif
#if (defined(LWS_WITH_MBEDTLS)) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ecb))
if (test_genaes_ecb())
goto bail;
#if defined(MBEDTLS_CONFIG_H) && !defined(MBEDTLS_CIPHER_MODE_OFB)
#else
#endif
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_OFB))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ofb))
if (test_genaes_ofb())
goto bail;
#endif
#if defined(MBEDTLS_CONFIG_H) && !defined(MBEDTLS_CIPHER_MODE_XTS)
#else
#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_XTS))) || \
(!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_xts))
if (test_genaes_xts())
goto bail;
#endif