h2: client: keep POLLOUT asserted while netconn has pps pending

.sai.json

@@ -172,6 +172,10 @@
 			"cmake":	"-DLWS_ROLE_QUIC=1 -DLWS_WITH_WOLFSSL=1 -DLWS_WOLFSSL_INCLUDE_DIRS=/usr/local/include -DLWS_WOLFSSL_LIBRARIES=/usr/local/lib/libwolfssl.so -DLWS_WITH_MINIMAL_EXAMPLES=0",
 			"platforms":	"none, rocky9/aarch64-a72a55-rk3588/gcc"
 		},
+                "openhitls": {
+                        "cmake":        "-DLWS_WITH_OPENHITLS=1 -DOPENHITLS_INCLUDE_DIRS=/opt/openhitls/include -DOPENHITLS_LIBRARIES='/opt/openhitls/build/libhitls_tls.so;/opt/openhitls/build/libhitls_pki.so;/opt/openhitls/build/libhitls_crypto.so;/opt/openhitls/build/libhitls_bsl.so;/opt/openhitls/build/libhitls_auth.so'",
+			"platforms":	"none, rocky9/aarch64-a72a55-rk3588/gcc"
+		},
 		"default-noexamples": {
 			"cmake":	"-DLWS_WITH_MINIMAL_EXAMPLES=0",
 			"platforms":	"freebsd/aarch64/llvm"

CMakeLists.txt

@@ -1,7 +1,7 @@
 #
 # libwebsockets - small server side websockets and web server implementation
 #
-# Copyright (C) 2010 - 2022 Andy Green <andy@warmcat.com>
+# Copyright (C) 2010 - 2026 Andy Green <andy@warmcat.com>
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to
@@ -256,10 +256,11 @@ option(LWS_WITH_BEARSSL "Use BearSSL replacement for OpenSSL. When setting this,
 set(LWS_BEARSSL_PROFILE "full" CACHE STRING "BearSSL profile to use (e.g. full, client, minimal)")
 option(LWS_WITH_BORINGSSL "Use BoringSSL replacement for OpenSSL" OFF)
 option(LWS_WITH_AWSLC "Use AWSLC replacement for OpenSSL" OFF)
+option(LWS_WITH_OPENHITLS "Use openHITLS replacement for OpenSSL. When setting this, you also may need to specify OPENHITLS_LIBRARIES and OPENHITLS_INCLUDE_DIRS" OFF)
 option(LWS_WITH_CYASSL "Use CyaSSL replacement for OpenSSL. When setting this, you also need to specify LWS_CYASSL_LIBRARIES and LWS_CYASSL_INCLUDE_DIRS" OFF)
 option(LWS_WITH_WOLFSSL "Use wolfSSL replacement for OpenSSL. When setting this, you also may need to specify LWS_WOLFSSL_LIBRARIES and LWS_WOLFSSL_INCLUDE_DIRS" OFF)
 
-if (LWS_WITH_HTTP3 AND LWS_WITH_SSL AND NOT (LWS_WITH_BORINGSSL OR LWS_WITH_AWSLC OR LWS_WITH_MBEDTLS OR LWS_WITH_WOLFSSL OR LWS_WITH_CYASSL OR LWS_WITH_GNUTLS OR LWS_WITH_BEARSSL OR LWS_WITH_SCHANNEL OR ESP_PLATFORM OR LWS_WITH_ESP32))
+if (LWS_WITH_HTTP3 AND LWS_WITH_SSL AND NOT (LWS_WITH_BORINGSSL OR LWS_WITH_AWSLC OR LWS_WITH_MBEDTLS OR LWS_WITH_WOLFSSL OR LWS_WITH_CYASSL OR LWS_WITH_GNUTLS OR LWS_WITH_BEARSSL OR LWS_WITH_SCHANNEL OR ESP_PLATFORM OR LWS_WITH_ESP32 OR LWS_WITH_OPENHITLS))
        option(LWS_WITH_GNUTLS "Use GnuTLS for SSL" ON)
 else()
        set(LWS_WITH_GNUTLS OFF CACHE BOOL "Use GnuTLS for SSL" FORCE)
@@ -275,7 +276,7 @@ if (NOT (LWS_WITH_BORINGSSL OR LWS_WITH_AWSLC OR LWS_WITH_MBEDTLS OR LWS_WITH_WO
     set(LWS_WITH_HTTP3 0)
 endif()
 
-if (WIN32 AND NOT (LWS_WITH_BORINGSSL OR LWS_WITH_AWSLC OR LWS_WITH_MBEDTLS OR LWS_WITH_WOLFSSL OR LWS_WITH_CYASSL OR LWS_WITH_BEARSSL OR LWS_WITH_GNUTLS))
+if (WIN32 AND NOT (LWS_WITH_BORINGSSL OR LWS_WITH_AWSLC OR LWS_WITH_MBEDTLS OR LWS_WITH_WOLFSSL OR LWS_WITH_CYASSL OR LWS_WITH_BEARSSL OR LWS_WITH_GNUTLS OR LWS_WITH_OPENHITLS))
 	set(LWS_SCHANNEL_DEFAULT ON)
 else()
 	set(LWS_SCHANNEL_DEFAULT OFF)
@@ -295,6 +296,12 @@ else()
 endif()
 option(LWS_WITH_TCP_TLS "Compile TCP TLS specific files" ${DEFAULT_TCP_TLS})
 
+if (LWS_WITH_OPENHITLS)
+	set(LWS_WITH_SSL ON)
+endif()
+
+
+
 #
 # Event library options (may select multiple, or none for default poll()
 #
@@ -1097,8 +1104,10 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR COMPILER_IS_CLANG)
 	# always warn all and generate debug info
 	if (UNIX AND NOT LWS_PLAT_FREERTOS)
 		set(CMAKE_C_FLAGS "-Wall -Wextra -Wno-unused-parameter -Wconversion -Wsign-compare -Wstrict-aliasing ${VISIBILITY_FLAG} -Wundef ${GCOV_FLAGS} ${CMAKE_C_FLAGS} ${ASAN_FLAGS}" )
+		set(CMAKE_CXX_FLAGS "-Wall -Wextra -Wno-unused-parameter -Wconversion -Wsign-compare -Wstrict-aliasing ${VISIBILITY_FLAG} -Wundef ${GCOV_FLAGS} ${CMAKE_CXX_FLAGS} ${ASAN_FLAGS}" )
 	else()
 		set(CMAKE_C_FLAGS "-Wall -Wsign-compare ${VISIBILITY_FLAG} ${GCOV_FLAGS} ${CMAKE_C_FLAGS}" )
+		set(CMAKE_CXX_FLAGS "-Wall -Wsign-compare ${VISIBILITY_FLAG} ${GCOV_FLAGS} ${CMAKE_CXX_FLAGS} ${ASAN_FLAGS}" )
 	endif()
 
 	if (PICO_SDK_PATH)
@@ -1115,8 +1124,10 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR COMPILER_IS_CLANG)
 
 	if (LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
 		set(CMAKE_C_FLAGS "-Wno-deprecated ${CMAKE_C_FLAGS}")
+		set(CMAKE_CXX_FLAGS "-Wno-deprecated ${CMAKE_CXX_FLAGS}")
 		if (LWS_GCC_HAS_NO_DEPRECATED_DECLARATIONS)
 			set(CMAKE_C_FLAGS "-Wno-deprecated-declarations ${CMAKE_C_FLAGS}")
+			set(CMAKE_CXX_FLAGS "-Wno-deprecated-declarations ${CMAKE_CXX_FLAGS}")
 		endif()
 	endif()
 endif ()
@@ -1136,9 +1147,15 @@ if (COMPILER_IS_CLANG)
 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-deprecated-declarations" )
 	if (UNIX AND LWS_HAVE_PTHREAD_H)
 		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pthread -Wno-error=unused-command-line-argument" )
+		set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pthread -Wno-error=unused-command-line-argument" )
 	endif()
 endif()
 
+if (LWS_WITH_ASAN)
+	set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${ASAN_FLAGS}")
+	set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${ASAN_FLAGS}")
+endif()
+
 if (${CMAKE_SYSTEM_NAME} MATCHES "SunOS")
 		list(APPEND LIB_LIST_AT_END -lsocket)
 		if ((CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX))

README.md

@@ -21,18 +21,20 @@ quic/h3 is enabled for build by default... necessitating GnuTLS instead of OpenS
 
 | TLS Library | Server TLS | Client TLS | QUIC Transport (TLS 1.3) | WSS / HTTPS | MQTT over TLS | ALPN (HTTP/2) | DTLS (WebRTC) | Session Cache | JIT Trust | GenCrypto |
 | :--- | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
-| **GnuTLS** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
-| **OpenSSL** | **Yes** | **Yes** | **No*** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
-| **LibreSSL** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
-| **AWS-LC** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
+| **GnuTLS**    | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
+| **OpenSSL**   | **Yes** | **Yes** | **No*** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
+| **LibreSSL**  | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
+| **AWS-LC**    | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
 | **BoringSSL** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
-| **wolfSSL** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
-| **mbedTLS** | **Yes** | **Yes** | Needs patch | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
-| **SChannel** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
-| **BearSSL** | **Yes** | **Yes** | **No** | **Yes** | **Yes** | **Yes** | **No** | **Yes** | **Yes** | **Yes** |
+| **wolfSSL**   | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
+| **mbedTLS**   | **Yes** | **Yes** | Needs patch | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
+| **SChannel**  | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **No** | **Yes** |
+| **BearSSL**   | **Yes** | **Yes** | **No** | **Yes** | **Yes** | **Yes** | **No** | **Yes** | **Yes** | **Yes** |
+| **openHiTLS** | **Yes** | **Yes** | **No** | **Yes** | **Yes** | **Yes** | Yes (not SRTP) | **Yes** | **Yes** | **Yes** |
 
-\* *Note: 1) Upstream OpenSSL does not provide the necessary QUIC TLS API (`SSL_set_quic_method`) to act as a cryptographic engine for LWS's QUIC transport. If you need QUIC/HTTP3 support, we recommend using BoringSSL, GnuTLS, WolfSSL, or the `quictls` fork of OpenSSL.*
 
+\* *Note: 1) Upstream OpenSSL does not provide the necessary QUIC TLS API (`SSL_set_quic_method`) to act as a cryptographic engine for LWS's QUIC transport. If you need QUIC/HTTP3 support, we recommend using BoringSSL, GnuTLS, WolfSSL, or the `quictls` fork of OpenSSL.*
+\* *Note: 2) openHiTLS does not provide the necessary QUIC TLS API *
 
  - DHT support built-in: `-DLWS_WITH_DHT=1`
 

READMEs/README.build.md

@@ -338,6 +338,9 @@ plugins and lwsws.
 
  - If cpu and memory is not super restricted and you care about TLS speed,
    OpenSSL or a directly compatible variant like Boring SSL is a good choice.
+
+ - To build with openHITLS (from https://gitcode.com/openhitls/openhitls.git example shown if built in `/opt/openhitls/build`) , use:
+   `cmake .. -DLWS_WITH_OPENHITLS=1 -DOPENHITLS_INCLUDE_DIRS=/opt/openhitls/include -DOPENHITLS_LIBRARIES=/opt/openhitls/build/libhitls_tls.so;/opt/openhitls/build/libhitls_pki.so;/opt/openhitls/build/libhitls_crypto.so;/opt/openhitls/build/libhitls_bsl.so;/opt/openhitls/build/libhitls_auth.so`
 
 Just building lws against stock Fedora OpenSSL or stock Fedora mbedTLS, for
 SSL handhake mbedTLS takes ~36ms and OpenSSL takes ~1ms on the same x86_64

cmake/FindOpenHITLS.cmake

@@ -0,0 +1,90 @@
+# Find OpenHITLS library and headers
+#
+# Sets:
+#  OPENHITLS_FOUND
+#  OPENHITLS_LIBRARIES
+#  OPENHITLS_INCLUDE_DIRS
+
+set(OPENHITLS_ROOT "" CACHE PATH "Prefix for OpenHITLS installation")
+set(OPENHITLS_UNSUPPORTED_PLATFORM 0)
+
+if (WIN32 OR CMAKE_SYSTEM_NAME MATCHES "Emscripten|WASI|Generic")
+	set(OPENHITLS_UNSUPPORTED_PLATFORM 1)
+endif()
+
+if (NOT OPENHITLS_UNSUPPORTED_PLATFORM)
+	if ("${OPENHITLS_LIBRARIES}" STREQUAL "" OR "${OPENHITLS_INCLUDE_DIRS}" STREQUAL "")
+		include(FindPkgConfig)
+		PKG_SEARCH_MODULE(OPENHITLS openhitls)
+	endif()
+
+	set(_OPENHITLS_HINTS)
+	if (OPENHITLS_ROOT)
+		list(APPEND _OPENHITLS_HINTS ${OPENHITLS_ROOT})
+	endif()
+	list(APPEND _OPENHITLS_HINTS /usr/local /usr)
+
+	# Find the base include directory containing hitls/
+	# Only search if pkg-config didn't provide include dirs
+	if ("${OPENHITLS_INCLUDE_DIRS}" STREQUAL "")
+		find_path(_OPENHITLS_BASE_INCLUDE_DIR hitls/tls/hitls.h
+			PATHS ${_OPENHITLS_HINTS}
+			PATH_SUFFIXES include)
+
+		if (_OPENHITLS_BASE_INCLUDE_DIR)
+			# Base include dir (for #include <hitls/tls/hitls.h>)
+			list(APPEND OPENHITLS_INCLUDE_DIRS ${_OPENHITLS_BASE_INCLUDE_DIR})
+		endif()
+	endif()
+
+	# Build include directories list from base include dirs, including
+	# pkg-config-provided base include paths.
+	set(_OPENHITLS_BASE_INCLUDE_CANDIDATES)
+	foreach(_openhitls_inc ${OPENHITLS_INCLUDE_DIRS})
+		if (EXISTS "${_openhitls_inc}/hitls/tls/hitls.h")
+			list(APPEND _OPENHITLS_BASE_INCLUDE_CANDIDATES "${_openhitls_inc}")
+		endif()
+	endforeach()
+
+	foreach(_openhitls_base ${_OPENHITLS_BASE_INCLUDE_CANDIDATES})
+		# Subdirectory includes (for #include "crypt_types.h", etc.)
+		list(APPEND OPENHITLS_INCLUDE_DIRS "${_openhitls_base}/hitls/bsl")
+		list(APPEND OPENHITLS_INCLUDE_DIRS "${_openhitls_base}/hitls/crypto")
+		list(APPEND OPENHITLS_INCLUDE_DIRS "${_openhitls_base}/hitls/pki")
+		list(APPEND OPENHITLS_INCLUDE_DIRS "${_openhitls_base}/hitls/tls")
+		list(APPEND OPENHITLS_INCLUDE_DIRS "${_openhitls_base}/hitls/auth")
+	endforeach()
+	if (OPENHITLS_INCLUDE_DIRS)
+		list(REMOVE_DUPLICATES OPENHITLS_INCLUDE_DIRS)
+	endif()
+
+	if ("${OPENHITLS_LIBRARIES}" STREQUAL "")
+		find_library(OPENHITLS_BSL_LIBRARY hitls_bsl
+			PATHS ${_OPENHITLS_HINTS}
+			PATH_SUFFIXES lib)
+		find_library(OPENHITLS_CRYPTO_LIBRARY hitls_crypto
+			PATHS ${_OPENHITLS_HINTS}
+			PATH_SUFFIXES lib)
+		find_library(OPENHITLS_TLS_LIBRARY hitls_tls
+			PATHS ${_OPENHITLS_HINTS}
+			PATH_SUFFIXES lib)
+		find_library(OPENHITLS_PKI_LIBRARY hitls_pki
+			PATHS ${_OPENHITLS_HINTS}
+			PATH_SUFFIXES lib)
+		if (OPENHITLS_BSL_LIBRARY AND OPENHITLS_CRYPTO_LIBRARY AND OPENHITLS_TLS_LIBRARY AND OPENHITLS_PKI_LIBRARY)
+			set(OPENHITLS_LIBRARIES
+				${OPENHITLS_BSL_LIBRARY}
+				${OPENHITLS_CRYPTO_LIBRARY}
+				${OPENHITLS_TLS_LIBRARY}
+				${OPENHITLS_PKI_LIBRARY})
+		endif()
+	endif()
+endif()
+
+if (OPENHITLS_UNSUPPORTED_PLATFORM)
+	set(OPENHITLS_FOUND 0)
+elseif ("${OPENHITLS_LIBRARIES}" STREQUAL "" OR "${OPENHITLS_INCLUDE_DIRS}" STREQUAL "")
+	set(OPENHITLS_FOUND 0)
+else()
+	set(OPENHITLS_FOUND 1)
+endif()

cmake/lws_config.h.in

@@ -221,6 +221,8 @@
 #cmakedefine LWS_WITH_BEARSSL
 #cmakedefine LWS_WITH_SCHANNEL
 #cmakedefine LWS_WITH_GNUTLS
+#cmakedefine LWS_WITH_OPENHITLS
+#cmakedefine LWS_WITH_TLS_KEYLOG
 #cmakedefine LWS_WITH_MINIZ
 #cmakedefine LWS_WITH_ROUTING
 #cmakedefine LWS_WITH_NETLINK

include/libwebsockets.h

@@ -439,6 +439,15 @@ typedef struct gnutls_session_int SSL;
 typedef struct lws_tls_gnutls_ctx SSL_CTX;
 typedef void BIO;
 typedef struct gnutls_x509_crt_int X509;
+#elif defined(LWS_WITH_OPENHITLS)
+#include <hitls_type.h>
+#include <hitls_cert_type.h>
+#include <hitls_pki_cert.h>
+typedef HITLS_Ctx SSL;
+typedef HITLS_Config SSL_CTX;
+typedef void BIO;
+typedef HITLS_X509_Cert X509;
+typedef HITLS_CERT_StoreCtx X509_STORE_CTX;
 #else
 #include <openssl/ssl.h>
 #if !defined(LWS_WITH_MBEDTLS)

include/libwebsockets/lws-context-vhost.h

@@ -629,13 +629,14 @@ struct lws_context_creation_info {
 
 #endif
 
-#if !defined(LWS_WITH_MBEDTLS) && !defined(LWS_WITH_BEARSSL)
+#if !defined(LWS_WITH_MBEDTLS) && !defined(LWS_WITH_BEARSSL) && \
+	!defined(LWS_WITH_OPENHITLS)
 	SSL_CTX *provided_client_ssl_ctx;
 	/**< CONTEXT: If non-null, swap out libwebsockets ssl
 	  * implementation for the one provided by provided_ssl_ctx.
 	  * Libwebsockets no longer is responsible for freeing the context
 	  * if this option is selected. */
-#else /* WITH_MBEDTLS */
+#elif defined(LWS_WITH_MBEDTLS)
 	const char *mbedtls_client_preload_filepath;
 	/**< CONTEXT: If NULL, no effect.  Otherwise it should point to a
 	 * filepath where every created client SSL_CTX is preloaded from the

include/libwebsockets/lws-genaes.h

@@ -41,6 +41,9 @@
 #include <psa/crypto.h>
 #endif
 #endif
+#if defined(LWS_WITH_OPENHITLS)
+#include <crypt_eal_cipher.h>
+#endif
 
 enum enum_aes_modes {
 	LWS_GAESM_CBC,
@@ -112,6 +115,8 @@ struct lws_genaes_ctx {
 	const br_block_cbcenc_class *cbcenc_vtable;
 	const br_block_cbcdec_class *cbcdec_vtable;
 	const br_block_ctr_class *ctr_vtable;
+#elif defined(LWS_WITH_OPENHITLS)
+	CRYPT_EAL_CipherCtx *ctx;
 #else
 	EVP_CIPHER_CTX *ctx;
 	const EVP_CIPHER *cipher;

include/libwebsockets/lws-gendtls.h

@@ -48,6 +48,10 @@
 #define SECURITY_WIN32
 #include <security.h>
 #include <schannel.h>
+#elif defined(LWS_WITH_OPENHITLS)
+#include <hitls.h>
+#include <hitls_config.h>
+#include <bsl_uio.h>
 #else /* OpenSSL */
 #include <openssl/ssl.h>
 #endif
@@ -106,6 +110,18 @@ struct lws_gendtls_ctx {
 	/* Store the client address for SChannel DTLS ACCEPT */
 	struct sockaddr_storage			client_addr;
 	size_t					client_addr_len;
+#elif defined(LWS_WITH_OPENHITLS)
+	HITLS_Ctx				*ctx;
+	HITLS_Config				*config;
+	BSL_UIO					*uio;
+	BSL_UIO_Method				*uio_method;
+	struct lws_buflist			*rx_head;
+	struct lws_buflist			*tx_head;
+	struct lws_context			*context;
+	int					mode;
+	unsigned int				mtu;
+	unsigned int				timeout_ms;
+	int					handshake_done;
 #else /* OpenSSL */
 	void					*ssl; /* SSL * */
 	/* OpenSSL Bio mems are handled internally via SSL_set_bio */

include/libwebsockets/lws-genec.h

@@ -22,6 +22,10 @@
  * IN THE SOFTWARE.
  */
 
+#if defined(LWS_WITH_OPENHITLS)
+#include <crypt_eal_pkey.h>
+#endif
+
 enum enum_genec_alg {
 	LEGENEC_UNKNOWN,
 
@@ -57,6 +61,8 @@ struct lws_genec_ctx {
 	br_ec_private_key priv;
 	void *kbuf_priv;
 	void *kbuf_pub;
+#elif defined(LWS_WITH_OPENHITLS)
+	CRYPT_EAL_PkeyCtx *ctx[2];
 #else
 	EVP_PKEY_CTX *ctx[2];
 #endif

include/libwebsockets/lws-genhash.h

@@ -44,6 +44,11 @@
 #include <psa/crypto.h>
 #endif
 
+#if defined(LWS_WITH_OPENHITLS)
+#include <crypt_eal_md.h>
+#include <crypt_eal_mac.h>
+#endif
+
 
 enum lws_genhash_types {
 	LWS_GENHASH_TYPE_UNKNOWN,
@@ -97,6 +102,8 @@ struct lws_genhash_ctx {
 		br_sha384_context sha384;
 		br_sha512_context sha512;
 	} u;
+#elif defined(LWS_WITH_OPENHITLS)
+	CRYPT_EAL_MdCTX *ctx;
 #else
         const EVP_MD *evp_type;
         EVP_MD_CTX *mdctx;
@@ -125,6 +132,8 @@ struct lws_genhmac_ctx {
 #elif defined(LWS_WITH_BEARSSL)
 	br_hmac_key_context hmac_key;
 	br_hmac_context ctx;
+#elif defined(LWS_WITH_OPENHITLS)
+	CRYPT_EAL_MacCtx *ctx;
 #else
 	const EVP_MD *evp_type;
 

include/libwebsockets/lws-genrsa.h

@@ -35,6 +35,10 @@
 
 /* include/libwebsockets/lws-jwk.h must be included before this */
 
+#if defined(LWS_WITH_OPENHITLS)
+#include <crypt_eal_pkey.h>
+#endif
+
 enum enum_genrsa_mode {
 	LGRSAM_PKCS1_1_5,
 	LGRSAM_PKCS1_OAEP_PSS,
@@ -62,13 +66,18 @@ struct lws_genrsa_ctx {
 	br_rsa_private_key priv;
 	void *kbuf_priv;
 	void *kbuf_pub;
+#elif defined(LWS_WITH_OPENHITLS)
+	CRYPT_EAL_PkeyCtx *ctx;
+	CRYPT_EAL_PkeyPub pub;
+	CRYPT_EAL_PkeyPrv prv;
 #else
 	BIGNUM *bn[LWS_GENCRYPTO_RSA_KEYEL_COUNT];
 	EVP_PKEY_CTX *ctx;
 	RSA *rsa;
 #endif
 	struct lws_context *context;
 	enum enum_genrsa_mode mode;
+	enum lws_genhash_types oaep_hashid;
 };
 
 /** lws_genrsa_public_decrypt_create() - Create RSA public decrypt context

lib/CMakeLists.txt

@@ -515,3 +515,4 @@ set(LWS_ROLE_QUIC ${LWS_ROLE_QUIC} PARENT_SCOPE)
 set(LWS_WITH_HTTP3 ${LWS_WITH_HTTP3} PARENT_SCOPE)
 set(LWS_ROLE_H3 ${LWS_ROLE_H3} PARENT_SCOPE)
 set(LWS_ROLE_WT ${LWS_ROLE_WT} PARENT_SCOPE)
+set(LWS_WITH_TLS_KEYLOG ${LWS_WITH_TLS_KEYLOG} PARENT_SCOPE)