botan: Reject EC keys with explicitly encoded parameters

This requires a function that will be added in the upcoming Botan 3.2 release.
2025-10-04 00:00:14 -04:00 · 2023-08-31 14:27:09 +02:00 · 2023-08-31 14:27:09 +02:00 · 0b989c7b20
commit 0b989c7b20
parent 2bccdefc2c
2 changed files with 9 additions and 1 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1215,7 +1215,7 @@ if test x$botan = xtrue; then
 	AC_SUBST(botan_LIBS)
 	saved_LIBS=$LIBS
 	LIBS="$botan_LIBS"
-	AC_CHECK_FUNCS(botan_rng_init_custom)
+	AC_CHECK_FUNCS(botan_rng_init_custom botan_pubkey_ecc_key_used_explicit_encoding)
 	LIBS=$saved_LIBS
 fi

--- a/src/libstrongswan/plugins/botan/botan_ec_public_key.c
+++ b/src/libstrongswan/plugins/botan/botan_ec_public_key.c
@ -235,6 +235,14 @@ botan_ec_public_key_t *botan_ec_public_key_adopt(botan_pubkey_t key)
 {
 	private_botan_ec_public_key_t *this;

+#ifdef HAVE_BOTAN_PUBKEY_ECC_KEY_USED_EXPLICIT_ENCODING
+	if (botan_pubkey_ecc_key_used_explicit_encoding(key))
+	{
+		botan_pubkey_destroy(key);
+		return NULL;
+	}
+#endif
+
 	INIT(this,
 		.public = {
 			.key = {