lws/mbedtls-wrapper: Align SSL_CTX_new function declaration with OpenSSL

lib/tls/mbedtls/mbedtls-client.c

@@ -407,7 +407,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 		return 1;
 	}
 	/* create context */
-	vh->tls.ssl_client_ctx = SSL_CTX_new(method, &vh->context->mcdc);
+	vh->tls.ssl_client_ctx = SSL_CTX_new(method);
 	if (!vh->tls.ssl_client_ctx) {
 		error = (unsigned long)ERR_get_error();
 		lwsl_err("problem creating ssl context %lu: %s\n",
@@ -416,6 +416,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 		return 1;
 	}
 
+	vh->tls.ssl_client_ctx->rngctx = &vh->context->mcdc;
 	if (!ca_filepath && (!ca_mem || !ca_mem_len)) {
 #if defined(LWS_HAVE_SSL_CTX_load_verify_dir)
 		if (!SSL_CTX_load_verify_dir(

lib/tls/mbedtls/mbedtls-server.c

@@ -199,12 +199,13 @@ lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info,
 	lws_filepos_t flen;
 	int n;
 
-	vhost->tls.ssl_ctx = SSL_CTX_new(method, &vhost->context->mcdc);	/* create context */
+	vhost->tls.ssl_ctx = SSL_CTX_new(method);	/* create context */
 	if (!vhost->tls.ssl_ctx) {
 		lwsl_err("problem creating ssl context\n");
 		return 1;
 	}
 
+	vhost->tls.ssl_ctx->rngctx = &vhost->context->mcdc;
 	if (!vhost->tls.use_ssl ||
 	    (!info->ssl_cert_filepath && !info->server_ssl_cert_mem))
 		return 0;

lib/tls/mbedtls/wrapper/include/internal/ssl_cert.h

@@ -28,7 +28,7 @@
  *
  * @return certification object point
  */
-CERT *__ssl_cert_new(CERT *ic, void *rngctx);
+CERT *__ssl_cert_new(CERT *ic);
 
 /**
  * @brief create a certification object include private key object
@@ -37,7 +37,7 @@ CERT *__ssl_cert_new(CERT *ic, void *rngctx);
  *
  * @return certification object point
  */
-CERT* ssl_cert_new(void *rngctx);
+CERT* ssl_cert_new(void);
 
 /**
  * @brief free a certification object

lib/tls/mbedtls/wrapper/include/internal/ssl_pkey.h

@@ -28,7 +28,7 @@
  *
  * @return new private key object point
  */
-EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk, void *rngctx);
+EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk);
 
 /**
  * @brief create a private key object
@@ -37,7 +37,7 @@ EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk, void *rngctx);
  *
  * @return private key object point
  */
-EVP_PKEY* EVP_PKEY_new(void *rngctx);
+EVP_PKEY* EVP_PKEY_new(void);
 
 /**
  * @brief load a character key context into system context. If '*a' is pointed to the
@@ -53,7 +53,7 @@ EVP_PKEY* EVP_PKEY_new(void *rngctx);
 EVP_PKEY* d2i_PrivateKey(int type,
                          EVP_PKEY **a,
                          const unsigned char **pp,
-                         long length, void *rngctx);
+                         long length);
 
 /**
  * @brief free a private key object

lib/tls/mbedtls/wrapper/include/internal/ssl_types.h

@@ -306,7 +306,7 @@ struct x509_method_st {
 
 struct pkey_method_st {
 
-    int (*pkey_new)(EVP_PKEY *pkey, EVP_PKEY *m_pkey, void *rngctx);
+    int (*pkey_new)(EVP_PKEY *pkey, EVP_PKEY *m_pkey);
 
     void (*pkey_free)(EVP_PKEY *pkey);
 

lib/tls/mbedtls/wrapper/include/openssl/ssl.h

@@ -60,7 +60,7 @@
  *
  * @return the context point
  */
-SSL_CTX* SSL_CTX_new(const SSL_METHOD *method, void *rngctx);
+SSL_CTX* SSL_CTX_new(const SSL_METHOD *method);
 
 /**
  * @brief free a SSL context

lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h

@@ -50,7 +50,7 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len);
 int x509_pm_load_file(X509 *x, const char *path);
 int x509_pm_load_path(X509 *x, const char *path);
 
-int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pk, void *rngctx);
+int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pk);
 void pkey_pm_free(EVP_PKEY *pk);
 int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len);
 

lib/tls/mbedtls/wrapper/library/ssl_cert.c

@@ -23,7 +23,7 @@
 /**
  * @brief create a certification object according to input certification
  */
-CERT *__ssl_cert_new(CERT *ic, void *rngctx)
+CERT *__ssl_cert_new(CERT *ic)
 {
     CERT *cert;
 
@@ -44,7 +44,7 @@ CERT *__ssl_cert_new(CERT *ic, void *rngctx)
         ix = NULL;
     }
 
-    cert->pkey = __EVP_PKEY_new(ipk, rngctx);
+    cert->pkey = __EVP_PKEY_new(ipk);
     if (!cert->pkey) {
         SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "__EVP_PKEY_new() return NULL");
         goto pkey_err;
@@ -69,9 +69,9 @@ CERT *__ssl_cert_new(CERT *ic, void *rngctx)
 /**
  * @brief create a certification object include private key object
  */
-CERT *ssl_cert_new(void *rngctx)
+CERT *ssl_cert_new(void)
 {
-    return __ssl_cert_new(NULL, rngctx);
+    return __ssl_cert_new(NULL);
 }
 
 /**

lib/tls/mbedtls/wrapper/library/ssl_lib.c

@@ -185,7 +185,7 @@ const char *mbedtls_client_preload_filepath;
 /**
  * @brief create a SSL context
  */
-SSL_CTX* SSL_CTX_new(const SSL_METHOD *method, void *rngctx)
+SSL_CTX* SSL_CTX_new(const SSL_METHOD *method)
 {
     SSL_CTX *ctx;
     CERT *cert;
@@ -205,7 +205,7 @@ SSL_CTX* SSL_CTX_new(const SSL_METHOD *method, void *rngctx)
         goto failed1;
     }
 
-    cert = ssl_cert_new(rngctx);
+    cert = ssl_cert_new();
     if (!cert) {
         SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL");
         goto failed2;
@@ -220,7 +220,6 @@ SSL_CTX* SSL_CTX_new(const SSL_METHOD *method, void *rngctx)
     ctx->method = method;
     ctx->client_CA = client_ca;
     ctx->cert = cert;
-    ctx->rngctx = rngctx;
 
     ctx->version = method->version;
 
@@ -330,7 +329,7 @@ SSL *SSL_new(SSL_CTX *ctx)
         goto failed2;
     }
 
-    ssl->cert = __ssl_cert_new(ctx->cert, ctx->rngctx);
+    ssl->cert = __ssl_cert_new(ctx->cert);
     if (!ssl->cert) {
         SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL");
         goto failed3;

lib/tls/mbedtls/wrapper/library/ssl_pkey.c

@@ -22,7 +22,7 @@
 /**
  * @brief create a private key object according to input private key
  */
-EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk, void *rngctx)
+EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk)
 {
     int ret;
     EVP_PKEY *pkey;
@@ -39,7 +39,7 @@ EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk, void *rngctx)
         pkey->method = EVP_PKEY_method();
     }
 
-    ret = EVP_PKEY_METHOD_CALL(new, pkey, ipk, rngctx);
+    ret = EVP_PKEY_METHOD_CALL(new, pkey, ipk);
     if (ret) {
         SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(new) return %d", ret);
         goto failed;
@@ -56,9 +56,9 @@ EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk, void *rngctx)
 /**
  * @brief create a private key object
  */
-EVP_PKEY* EVP_PKEY_new(void *rngctx)
+EVP_PKEY* EVP_PKEY_new(void)
 {
-    return __EVP_PKEY_new(NULL, rngctx);
+    return __EVP_PKEY_new(NULL);
 }
 
 /**
@@ -80,7 +80,7 @@ void EVP_PKEY_free(EVP_PKEY *pkey)
 EVP_PKEY *d2i_PrivateKey(int type,
                          EVP_PKEY **a,
                          const unsigned char **pp,
-                         long length, void *rngctx)
+                         long length)
 {
     int m = 0;
     int ret;
@@ -93,7 +93,7 @@ EVP_PKEY *d2i_PrivateKey(int type,
     if (a && *a) {
         pkey = *a;
     } else {
-        pkey = EVP_PKEY_new(rngctx);
+        pkey = EVP_PKEY_new();
         if (!pkey) {
             SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_new() return NULL");
             goto failed1;
@@ -167,7 +167,7 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
     int ret;
     EVP_PKEY *pk;
 
-    pk = d2i_PrivateKey(0, NULL, &d, len, ctx->rngctx);
+    pk = d2i_PrivateKey(0, NULL, &d, len);
     if (!pk) {
         SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL");
         goto failed1;
@@ -196,7 +196,7 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl,
     int ret;
     EVP_PKEY *pk;
 
-    pk = d2i_PrivateKey(0, NULL, &d, len, ssl->ctx->rngctx);
+    pk = d2i_PrivateKey(0, NULL, &d, len);
     if (!pk) {
         SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL");
         goto failed1;

lib/tls/mbedtls/wrapper/platform/ssl_pm.c

@@ -62,8 +62,6 @@ struct pkey_pm
     mbedtls_pk_context *pkey;
 
     mbedtls_pk_context *ex_pkey;
-
-    void *rngctx;
 };
 
 unsigned int max_content_len;
@@ -786,7 +784,7 @@ int x509_pm_load_path(X509 *x, const char *path)
     return -1;
 }
 
-int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey, void *rngctx)
+int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey)
 {
     struct pkey_pm *pkey_pm;
 
@@ -795,7 +793,6 @@ int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey, void *rngctx)
         return -1;
 
     pk->pkey_pm = pkey_pm;
-    pkey_pm->rngctx = rngctx;
 
     if (m_pkey) {
         struct pkey_pm *m_pkey_pm = (struct pkey_pm *)m_pkey->pkey_pm;
@@ -826,6 +823,7 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
     int ret;
     unsigned char *load_buf;
     struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
+    mbedtls_ctr_drbg_context ctr_drbg;
 
     if (pkey_pm->pkey)
         mbedtls_pk_free(pkey_pm->pkey);
@@ -848,14 +846,15 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
     load_buf[len] = '\0';
 
     mbedtls_pk_init(pkey_pm->pkey);
+    mbedtls_ctr_drbg_init(&ctr_drbg);
 
 #if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000
 #if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03050000
     ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, (unsigned int)len, NULL, 0,
-		    mbedtls_ctr_drbg_random, pkey_pm->rngctx);
+		    mbedtls_ctr_drbg_random, &ctr_drbg);
 #else
     ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, (unsigned int)len + 1, NULL, 0,
-		    mbedtls_ctr_drbg_random, pkey_pm->rngctx);
+		    mbedtls_ctr_drbg_random, &ctr_drbg);
 #endif
 #else
     ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, (unsigned int)len + 1, NULL, 0);
@@ -867,9 +866,12 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
         goto failed;
     }
 
+    mbedtls_ctr_drbg_free(&ctr_drbg);
+
     return 0;
 
 failed:
+    mbedtls_ctr_drbg_free(&ctr_drbg);
     mbedtls_pk_free(pkey_pm->pkey);
     ssl_mem_free(pkey_pm->pkey);
     pkey_pm->pkey = NULL;
@@ -1057,7 +1059,7 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
 	if (ssl->cert)
 		ssl_cert_free(ssl->cert);
 	ssl->ctx = ctx;
-	ssl->cert = __ssl_cert_new(ctx->cert, ctx->rngctx);
+	ssl->cert = __ssl_cert_new(ctx->cert);
 
 #if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)