openssl: Add support for Ed25519 via AWS-LC

2025-10-04 00:00:14 -04:00 · 2025-08-08 17:17:12 +02:00 · 2025-08-08 17:17:12 +02:00 · 052a939553
commit 052a939553
parent 4096a911a0
4 changed files with 30 additions and 7 deletions
--- a/.github/active-transforms/openssl-awslc
+++ b/.github/active-transforms/openssl-awslc
@ -56,6 +56,7 @@ HASH_SHA3_224[openssl]
 HASH_SHA3_256[openssl]
 HASH_SHA3_384[openssl]
 HASH_SHA3_512[openssl]
+HASH_IDENTITY[openssl]
 PRF_KEYED_SHA1[openssl]
 PRF_HMAC_MD5[openssl]
 PRF_HMAC_SHA1[openssl]
--- a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018-2025 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
@ -18,6 +18,10 @@

 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)

+#ifdef OPENSSL_IS_AWSLC
+#include <openssl/x509.h>
+#endif
+
 #include "openssl_ed_private_key.h"
 #include "openssl_util.h"

@ -170,7 +174,17 @@ METHOD(private_key_t, get_encoding, bool,
 		{
 			bool success = TRUE;

+#ifndef OPENSSL_IS_AWSLC
 			*encoding = openssl_i2chunk(PrivateKey, this->key);
+#else
+			/* AWS-LC currently doesn't implement i2d_PrivateKey for EdDSA */
+			PKCS8_PRIV_KEY_INFO *p8 = EVP_PKEY2PKCS8(this->key);
+			if (p8)
+			{
+				*encoding = openssl_i2chunk(PKCS8_PRIV_KEY_INFO, p8);
+				PKCS8_PRIV_KEY_INFO_free(p8);
+			}
+#endif

 			if (type == PRIVKEY_PEM)
 			{
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@ -645,22 +645,29 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
 #endif
 #endif /* OPENSSL_NO_ECDSA */
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) && \
-	!defined(OPENSSL_IS_AWSLC)
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
 		/* EdDSA private/public key loading */
 		PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+#ifndef OPENSSL_IS_AWSLC
 			PLUGIN_PROVIDE(PUBKEY, KEY_ED448),
+#endif
 		PLUGIN_REGISTER(PRIVKEY, openssl_ed_private_key_load, TRUE),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+#ifndef OPENSSL_IS_AWSLC
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ED448),
+#endif
 		PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ed_private_key_gen, FALSE),
 			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
+#ifndef OPENSSL_IS_AWSLC
 			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED448),
+#endif
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
+#ifndef OPENSSL_IS_AWSLC
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED448),
+#endif
 		/* register a pro forma identity hasher, never instantiated */
 		PLUGIN_REGISTER(HASHER, return_null),
 			PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@ -157,11 +157,12 @@ private_key_t *openssl_wrap_private_key(EVP_PKEY *key, bool engine)
 			case EVP_PKEY_EC:
 				return openssl_ec_private_key_create(key, engine);
 #endif
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) && \
-!defined(OPENSSL_IS_AWSLC)
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
 			case EVP_PKEY_ED25519:
+#ifndef OPENSSL_IS_AWSLC
 			case EVP_PKEY_ED448:
-				return openssl_ed_private_key_create(key, engine);
+#endif
+				return openssl_ed_private_key_create(key, FALSE);
 #endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC && !OPENSSL_IS_AWSLC */
 			default:
 				EVP_PKEY_free(key);