diff --git a/cmake/lws_config.h.in b/cmake/lws_config.h.in index 26431dcfd..f3f4a9d79 100644 --- a/cmake/lws_config.h.in +++ b/cmake/lws_config.h.in @@ -47,7 +47,10 @@ #cmakedefine LWS_HAVE_EVP_aes_192_cfb128 #cmakedefine LWS_HAVE_EVP_aes_256_cfb8 #cmakedefine LWS_HAVE_EVP_aes_256_cfb128 +#cmakedefine LWS_HAVE_EVP_aes_128_ofb #cmakedefine LWS_HAVE_EVP_aes_128_xts +#cmakedefine LWS_HAVE_EVP_aes_128_ctr +#cmakedefine LWS_HAVE_EVP_aes_128_ecb #cmakedefine LWS_HAVE_EVP_PKEY_new_raw_private_key #cmakedefine LWS_HAVE_EXECVPE #cmakedefine LWS_HAVE_LOCALTIME_R diff --git a/lib/tls/CMakeLists.txt b/lib/tls/CMakeLists.txt index b51a1c289..fdf9cb1d4 100644 --- a/lib/tls/CMakeLists.txt +++ b/lib/tls/CMakeLists.txt @@ -327,6 +327,12 @@ CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_192_cfb8 LWS_HAVE_EVP_aes_192_cfb8 PARENT_ CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_192_cfb128 LWS_HAVE_EVP_aes_192_cfb128 PARENT_SCOPE) CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_256_cfb8 LWS_HAVE_EVP_aes_256_cfb8 PARENT_SCOPE) CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_256_cfb128 LWS_HAVE_EVP_aes_256_cfb128 PARENT_SCOPE) +CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_xts LWS_HAVE_EVP_aes_128_xts PARENT_SCOPE) +CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ofb LWS_HAVE_EVP_aes_128_ofb PARENT_SCOPE) +CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ecb LWS_HAVE_EVP_aes_128_ecb PARENT_SCOPE) +CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ctr LWS_HAVE_EVP_aes_128_ctr PARENT_SCOPE) + + CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_xts LWS_HAVE_EVP_aes_128_xts PARENT_SCOPE) CHECK_FUNCTION_EXISTS(${VARIA}RSA_verify_pss_mgf1 LWS_HAVE_RSA_verify_pss_mgf1 PARENT_SCOPE) CHECK_FUNCTION_EXISTS(${VARIA}HMAC_CTX_new LWS_HAVE_HMAC_CTX_new PARENT_SCOPE) diff --git a/lib/tls/openssl/lws-genaes.c b/lib/tls/openssl/lws-genaes.c index bc4d7d82d..fa0fe806c 100644 --- a/lib/tls/openssl/lws-genaes.c +++ b/lib/tls/openssl/lws-genaes.c @@ -79,19 +79,27 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op, ctx->cipher = EVP_aes_128_cfb8(); break; #endif +#if defined(LWS_HAVE_EVP_aes_128_ctr) case LWS_GAESM_CTR: ctx->cipher = EVP_aes_128_ctr(); break; +#endif +#if defined(LWS_HAVE_EVP_aes_128_ecb) case LWS_GAESM_ECB: ctx->cipher = EVP_aes_128_ecb(); break; +#endif +#if defined(LWS_HAVE_EVP_aes_128_ofb) case LWS_GAESM_OFB: ctx->cipher = EVP_aes_128_ofb(); break; +#endif +#if defined(LWS_HAVE_EVP_aes_128_xts) case LWS_GAESM_XTS: lwsl_err("%s: AES XTS requires double-length key\n", __func__); break; +#endif case LWS_GAESM_GCM: ctx->cipher = EVP_aes_128_gcm(); break; @@ -126,18 +134,26 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op, ctx->cipher = EVP_aes_192_cfb8(); break; #endif +#if defined(LWS_HAVE_EVP_aes_128_ctr) case LWS_GAESM_CTR: ctx->cipher = EVP_aes_192_ctr(); break; +#endif +#if defined(LWS_HAVE_EVP_aes_128_ecb) case LWS_GAESM_ECB: ctx->cipher = EVP_aes_192_ecb(); break; +#endif +#if defined(LWS_HAVE_EVP_aes_128_ofb) case LWS_GAESM_OFB: ctx->cipher = EVP_aes_192_ofb(); break; +#endif +#if defined(LWS_HAVE_EVP_aes_128_xts) case LWS_GAESM_XTS: lwsl_err("%s: AES XTS 192 invalid\n", __func__); goto bail; +#endif case LWS_GAESM_GCM: ctx->cipher = EVP_aes_192_gcm(); break; @@ -172,15 +188,21 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op, ctx->cipher = EVP_aes_256_cfb8(); break; #endif +#if defined(LWS_HAVE_EVP_aes_128_ctr) case LWS_GAESM_CTR: ctx->cipher = EVP_aes_256_ctr(); break; +#endif +#if defined(LWS_HAVE_EVP_aes_128_ecb) case LWS_GAESM_ECB: ctx->cipher = EVP_aes_256_ecb(); break; +#endif +#if defined(LWS_HAVE_EVP_aes_128_ofb) case LWS_GAESM_OFB: ctx->cipher = EVP_aes_256_ofb(); break; +#endif #if defined(LWS_HAVE_EVP_aes_128_xts) case LWS_GAESM_XTS: ctx->cipher = EVP_aes_128_xts(); @@ -196,8 +218,10 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op, case 512 / 8: switch (mode) { +#if defined(LWS_HAVE_EVP_aes_128_xts) case LWS_GAESM_XTS: ctx->cipher = EVP_aes_256_xts(); +#endif break; default: goto bail; diff --git a/lib/tls/openssl/lws-genec.c b/lib/tls/openssl/lws-genec.c index f7482495d..12830094a 100644 --- a/lib/tls/openssl/lws-genec.c +++ b/lib/tls/openssl/lws-genec.c @@ -34,11 +34,22 @@ #error "You probably need LWS_SUPPRESS_DEPRECATED_API_WARNINGS" #endif +#if defined(USE_WOLFSSL) +#include "openssl/ecdh.h" +#endif + /* * Care: many openssl apis return 1 for success. These are translated to the * lws convention of 0 for success. */ +#if defined(USE_WOLFSSL) +EVP_PKEY * EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *p) +{ + return p->pkey; +} +#endif + #if !defined(LWS_HAVE_ECDSA_SIG_set0) static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) @@ -66,9 +77,11 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { int i; +#if !defined(USE_WOLFSSL) BN_ULONG l; +#endif -#if !defined(LIBRESSL_VERSION_NUMBER) +#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(USE_WOLFSSL) bn_check_top(a); #endif i = BN_num_bytes(a); @@ -78,10 +91,14 @@ int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) memset(to, 0, (size_t)(tolen - i)); to += tolen - i; } +#if defined(USE_WOLFSSL) + BN_bn2bin(a, to); +#else while (i--) { l = a->d[i / BN_BYTES]; *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; } +#endif return tolen; } #endif @@ -133,7 +150,22 @@ lws_genec_eckey_import(int nid, EVP_PKEY *pkey, goto bail1; } + /* + * EC_KEY_set_public_key_affine_coordinates sets the public key for + * key based on its affine co-ordinates, i.e. it constructs an + * EC_POINT object based on the supplied x and y values and sets + * the public key to be this EC_POINT. It will also performs + * certain sanity checks on the key to confirm that it is valid. + */ + +#if defined(USE_WOLFSSL) + n = wolfSSL_EC_POINT_set_affine_coordinates_GFp(ec->group, + ec->pub_key, + bn_x, bn_y, + NULL); +#else n = EC_KEY_set_public_key_affine_coordinates(ec, bn_x, bn_y); +#endif BN_free(bn_x); BN_free(bn_y); if (n != 1) { @@ -161,10 +193,12 @@ lws_genec_eckey_import(int nid, EVP_PKEY *pkey, /* explicitly confirm the key pieces are consistent */ +#if !defined(USE_WOLFSSL) if (EC_KEY_check_key(ec) != 1) { lwsl_err("%s: EC_KEY_set_private_key fail\n", __func__); goto bail; } +#endif n = EVP_PKEY_assign_EC_KEY(pkey, ec); if (n != 1) { @@ -663,7 +697,12 @@ lws_genecdh_compute_shared_secret(struct lws_genec_ctx *ctx, uint8_t *ss, len = (EC_GROUP_get_degree(EC_KEY_get0_group(eckey[LDHS_OURS])) + 7) / 8; if (len <= *ss_len) { - *ss_len = ECDH_compute_key(ss, (unsigned int)len, +#if defined(USE_WOLFSSL) + *ss_len = wolfSSL_ECDH_compute_key( +#else + *ss_len = ECDH_compute_key( +#endif + ss, (unsigned int)len, EC_KEY_get0_public_key(eckey[LDHS_THEIRS]), eckey[LDHS_OURS], NULL); ret = -(*ss_len < 0); diff --git a/lib/tls/openssl/lws-genhash.c b/lib/tls/openssl/lws-genhash.c index 11f2fdedf..5363bcbae 100644 --- a/lib/tls/openssl/lws-genhash.c +++ b/lib/tls/openssl/lws-genhash.c @@ -26,6 +26,7 @@ */ #include #include +#include /* * Care: many openssl apis return 1 for success. These are translated to the * lws convention of 0 for success. @@ -221,8 +222,12 @@ int lws_genhmac_update(struct lws_genhmac_ctx *ctx, const void *in, size_t len) { #if defined(LWS_HAVE_HMAC_CTX_new) +#if defined(LIBRESSL_VERSION_NUMBER) if (HMAC_Update(ctx->ctx, in, len) != 1) #else + if (HMAC_Update(ctx->ctx, in, (int)len) != 1) +#endif +#else /* HMAC_CTX_new */ if (HMAC_Update(&ctx->ctx, in, len) != 1) #endif return -1; diff --git a/lib/tls/openssl/lws-genrsa.c b/lib/tls/openssl/lws-genrsa.c index 4cc23f029..985246c9f 100644 --- a/lib/tls/openssl/lws-genrsa.c +++ b/lib/tls/openssl/lws-genrsa.c @@ -112,7 +112,7 @@ lws_genrsa_create(struct lws_genrsa_ctx *ctx, goto bail; } -#if defined(LWS_HAVE_RSA_SET0_KEY) +#if defined(LWS_HAVE_RSA_SET0_KEY) && !defined(USE_WOLFSSL) if (RSA_set0_key(ctx->rsa, ctx->bn[LWS_GENCRYPTO_RSA_KEYEL_N], ctx->bn[LWS_GENCRYPTO_RSA_KEYEL_E], ctx->bn[LWS_GENCRYPTO_RSA_KEYEL_D]) != 1) { @@ -178,7 +178,7 @@ lws_genrsa_new_keypair(struct lws_context *context, struct lws_genrsa_ctx *ctx, if (n != 1) goto cleanup_1; -#if defined(LWS_HAVE_RSA_SET0_KEY) +#if defined(LWS_HAVE_RSA_SET0_KEY) && !defined(USE_WOLFSSL) { const BIGNUM *mpi[5]; @@ -365,7 +365,11 @@ lws_genrsa_hash_sign(struct lws_genrsa_ctx *ctx, const uint8_t *in, goto bail; if (EVP_DigestSignInit(mdctx, NULL, md, NULL, +#if defined(USE_WOLFSSL) + ctx->ctx->pkey)) { +#else EVP_PKEY_CTX_get0_pkey(ctx->ctx))) { +#endif lwsl_err("%s: EVP_DigestSignInit failed\n", __func__); goto bail; diff --git a/lib/tls/openssl/openssl-x509.c b/lib/tls/openssl/openssl-x509.c index 9a0b2190f..dac4aa391 100644 --- a/lib/tls/openssl/openssl-x509.c +++ b/lib/tls/openssl/openssl-x509.c @@ -740,7 +740,7 @@ lws_x509_jwk_privkey_pem(struct lws_context *cx, struct lws_jwk *jwk, goto bail; } -#if defined(LWS_HAVE_RSA_SET0_KEY) +#if defined(LWS_HAVE_RSA_SET0_KEY) && !defined(USE_WOLFSSL) RSA_get0_key(rsapriv, (const BIGNUM **)&dummy[0], /* n */ (const BIGNUM **)&dummy[1], /* e */ (const BIGNUM **)&mpi); /* d */ diff --git a/minimal-examples/api-tests/api-test-gencrypto/CMakeLists.txt b/minimal-examples/api-tests/api-test-gencrypto/CMakeLists.txt index 6bfe7f216..a3678d561 100644 --- a/minimal-examples/api-tests/api-test-gencrypto/CMakeLists.txt +++ b/minimal-examples/api-tests/api-test-gencrypto/CMakeLists.txt @@ -11,7 +11,7 @@ set(SRCS main.c lws-genaes.c lws-genec.c) set(requirements 1) require_lws_config(LWS_WITH_GENCRYPTO 1 requirements) require_lws_config(LWS_WITH_JOSE 1 requirements) - +require_lws_config(USE_WOLFSSL 0 requirements) if (requirements) diff --git a/minimal-examples/api-tests/api-test-gencrypto/lws-genaes.c b/minimal-examples/api-tests/api-test-gencrypto/lws-genaes.c index 906364720..e7f2aa2f9 100644 --- a/minimal-examples/api-tests/api-test-gencrypto/lws-genaes.c +++ b/minimal-examples/api-tests/api-test-gencrypto/lws-genaes.c @@ -9,6 +9,10 @@ #include + +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CBC))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cbc)) + static const uint8_t /* * produced with (plaintext.txt contains "test plaintext\0\0") @@ -101,7 +105,10 @@ bail: return -1; } +#endif +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CFB))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cfb128)) static const uint8_t /* * produced with (plaintext.txt contains "test plaintext\0\0") @@ -188,6 +195,10 @@ bail: return -1; } +#endif + +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CFB))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cfb8)) static const uint8_t /* @@ -272,7 +283,10 @@ bail: return -1; } +#endif +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CTR))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ctr)) static const uint8_t /* * produced with (plaintext.txt contains "test plaintext\0\0") @@ -365,7 +379,10 @@ bail: return -1; } +#endif +#if (defined(LWS_WITH_MBEDTLS)) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ecb)) static const uint8_t /* * produced with (plaintext.txt contains "test plaintext\0\0") @@ -449,10 +466,10 @@ bail: return -1; } +#endif -#if defined(MBEDTLS_CONFIG_H) && !defined(MBEDTLS_CIPHER_MODE_OFB) -#else - +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_OFB))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ofb)) static const uint8_t /* * produced with (plaintext.txt contains "test plaintext\0\0") @@ -481,7 +498,6 @@ static const uint8_t 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, } ; - static int test_genaes_ofb(void) { @@ -549,8 +565,8 @@ bail: #endif -#if defined(MBEDTLS_CONFIG_H) && !defined(MBEDTLS_CIPHER_MODE_XTS) -#else +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_XTS))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_xts)) static const uint8_t /* @@ -575,10 +591,10 @@ static const uint8_t 0x5f, 0x31, 0x9e, 0xcd, 0x33, 0x08, 0xa0, 0x44 } ; - static int test_genaes_xts(void) { + struct lws_genaes_ctx ctx; struct lws_gencrypto_keyelem e; uint8_t res[32], res1[32], data_unit[16]; @@ -757,30 +773,38 @@ bail: int test_genaes(struct lws_context *context) { - +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CBC))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cbc)) if (test_genaes_cbc()) goto bail; - +#endif +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CFB))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cfb128)) if (test_genaes_cfb128()) goto bail; - +#endif +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CFB))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_cfb8)) if (test_genaes_cfb8()) goto bail; - +#endif +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_CTR))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ctr)) if (test_genaes_ctr()) goto bail; - +#endif +#if (defined(LWS_WITH_MBEDTLS)) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ecb)) if (test_genaes_ecb()) goto bail; - -#if defined(MBEDTLS_CONFIG_H) && !defined(MBEDTLS_CIPHER_MODE_OFB) -#else +#endif +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_OFB))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_ofb)) if (test_genaes_ofb()) goto bail; #endif - -#if defined(MBEDTLS_CONFIG_H) && !defined(MBEDTLS_CIPHER_MODE_XTS) -#else +#if (defined(LWS_WITH_MBEDTLS) && (!defined(MBEDTLS_CONFIG_H) || defined(MBEDTLS_CIPHER_MODE_XTS))) || \ + (!defined(LWS_WITH_MBEDTLS) && defined(LWS_HAVE_EVP_aes_128_xts)) if (test_genaes_xts()) goto bail; #endif