From eae30af029b1d80c1309bb5a2e79df139ec1662b Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 12 Jul 2022 09:46:03 +0200
Subject: [PATCH] Use wolfSSL 5.4.0 for tests

The 5.4.0 update changed the default bignum implementation to what
could explicitly be enabled via `--enable-sp-math-all`.  Since this uses
fixed-sized buffers sufficient for key sizes of SP_INT_BITS, with a default
of 4096, modp6144 and modp8192 didn't work anymore (wc_DhGenerateKeyPair()
returned MP_EXPTMOD_E).  So we have to adapt the feature checks for this.

To support the larger DH groups we can either increase the buffer size
via `--with-max-rsa-bits` or add `--enable-heapmath` so buffers get
(re-)allocated as needed.  We go with the latter for now.
---
 scripts/test.sh                               |  6 ++--
 .../plugins/wolfssl/wolfssl_plugin.c          | 32 ++++++++++++++-----
 testing/scripts/recipes/012_wolfssl.mk        |  3 +-
 3 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/scripts/test.sh b/scripts/test.sh
index 443a56fbdc..0b1c4859b4 100755
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -37,7 +37,7 @@ build_botan()
 
 build_wolfssl()
 {
-	WOLFSSL_REV=v5.3.0-stable
+	WOLFSSL_REV=v5.4.0-stable
 	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
 
 	if test -d "$WOLFSSL_DIR"; then
@@ -53,8 +53,8 @@ build_wolfssl()
 					--enable-aesccm --enable-aesctr --enable-camellia
 					--enable-curve25519 --enable-curve448 --enable-des3
 					--enable-ecccustcurves --enable-ed25519 --enable-ed448
-					--enable-keygen --enable-md4 --enable-rsapss --enable-sha3
-					--enable-shake256"
+					--enable-heapmath --enable-keygen --enable-md4
+					--enable-rsapss --enable-sha3 --enable-shake256"
 
 	git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
 	cd $WOLFSSL_DIR &&
diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
index 61c8e8e819..b53bd8b09b 100644
--- a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
@@ -270,31 +270,47 @@ METHOD(plugin_t, get_features, int,
 #ifndef NO_DH
 		/* MODP DH groups */
 		PLUGIN_REGISTER(KE, wolfssl_diffie_hellman_create),
-	#if !defined(USE_FAST_MATH) || FP_MAX_BITS >= (3072 * 2)
+	#if (defined(USE_FAST_MATH) && FP_MAX_BITS >= (3072 * 2)) || \
+		(defined(WOLFSSL_SP_MATH_ALL) && SP_INT_BITS >= 3072) || \
+		defined(USE_INTEGER_HEAP_MATH)
 			PLUGIN_PROVIDE(KE, MODP_3072_BIT),
 	#endif
-	#if !defined(USE_FAST_MATH) || FP_MAX_BITS >= (4096 * 2)
+	#if (defined(USE_FAST_MATH) && FP_MAX_BITS >= (4096 * 2)) || \
+		(defined(WOLFSSL_SP_MATH_ALL) && SP_INT_BITS >= 4096) || \
+		defined(USE_INTEGER_HEAP_MATH)
 			PLUGIN_PROVIDE(KE, MODP_4096_BIT),
 	#endif
-	#if !defined(USE_FAST_MATH) || FP_MAX_BITS >= (6144 * 2)
+	#if (defined(USE_FAST_MATH) && FP_MAX_BITS >= (6144 * 2)) || \
+		(defined(WOLFSSL_SP_MATH_ALL) && SP_INT_BITS >= 6144) || \
+		defined(USE_INTEGER_HEAP_MATH)
 			PLUGIN_PROVIDE(KE, MODP_6144_BIT),
 	#endif
-	#if !defined(USE_FAST_MATH) || FP_MAX_BITS >= (8192 * 2)
+	#if (defined(USE_FAST_MATH) && FP_MAX_BITS >= (8192 * 2)) || \
+		(defined(WOLFSSL_SP_MATH_ALL) && SP_INT_BITS >= 8192) || \
+		defined(USE_INTEGER_HEAP_MATH)
 			PLUGIN_PROVIDE(KE, MODP_8192_BIT),
 	#endif
-	#if !defined(USE_FAST_MATH) || FP_MAX_BITS >= (2048 * 2)
+	#if (defined(USE_FAST_MATH) && FP_MAX_BITS >= (2048 * 2)) || \
+		(defined(WOLFSSL_SP_MATH_ALL) && SP_INT_BITS >= 2048) || \
+		defined(USE_INTEGER_HEAP_MATH)
 			PLUGIN_PROVIDE(KE, MODP_2048_BIT),
 			PLUGIN_PROVIDE(KE, MODP_2048_224),
 			PLUGIN_PROVIDE(KE, MODP_2048_256),
 	#endif
-	#if !defined(USE_FAST_MATH) || FP_MAX_BITS >= (1536 * 2)
+	#if (defined(USE_FAST_MATH) && FP_MAX_BITS >= (1536 * 2)) || \
+		(defined(WOLFSSL_SP_MATH_ALL) && SP_INT_BITS >= 1536) || \
+		defined(USE_INTEGER_HEAP_MATH)
 			PLUGIN_PROVIDE(KE, MODP_1536_BIT),
 	#endif
-	#if !defined(USE_FAST_MATH) || FP_MAX_BITS >= (1024 * 2)
+	#if (defined(USE_FAST_MATH) && FP_MAX_BITS >= (1024 * 2)) || \
+		(defined(WOLFSSL_SP_MATH_ALL) && SP_INT_BITS >= 1024) || \
+		defined(USE_INTEGER_HEAP_MATH)
 			PLUGIN_PROVIDE(KE, MODP_1024_BIT),
 			PLUGIN_PROVIDE(KE, MODP_1024_160),
 	#endif
-	#if !defined(USE_FAST_MATH) || FP_MAX_BITS >= (768 * 2)
+	#if (defined(USE_FAST_MATH) && FP_MAX_BITS >= (768 * 2)) || \
+		(defined(WOLFSSL_SP_MATH_ALL) && SP_INT_BITS >= 768) || \
+		defined(USE_INTEGER_HEAP_MATH)
 			PLUGIN_PROVIDE(KE, MODP_768_BIT),
 	#endif
 			PLUGIN_PROVIDE(KE, MODP_CUSTOM),
diff --git a/testing/scripts/recipes/012_wolfssl.mk b/testing/scripts/recipes/012_wolfssl.mk
index 73b91c4015..14b12ea3e1 100644
--- a/testing/scripts/recipes/012_wolfssl.mk
+++ b/testing/scripts/recipes/012_wolfssl.mk
@@ -2,7 +2,7 @@
 
 PKG = wolfssl
 SRC = https://github.com/wolfSSL/$(PKG).git
-REV = v5.3.0-stable
+REV = v5.4.0-stable
 
 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
 
@@ -27,6 +27,7 @@ CONFIG_OPTS = \
 	--enable-ecccustcurves \
 	--enable-ed25519 \
 	--enable-ed448 \
+	--enable-heapmath \
 	--enable-keygen \
 	--enable-md4 \
 	--enable-rsapss \
-- 
2.47.2