openssl: Require min version 3.0.0 for HKDF to support larger MODP groups and nonces

Also enables the `kdf` plugin automatically if building against an older version of OpenSSL. Closes strongswan/strongswan#2602 Co-authored-by: Tobias Brunner <tobias@strongswan.org>
2025-10-04 00:00:14 -04:00 · 2025-01-08 08:28:25 -08:00 · 2025-01-08 08:28:25 -08:00 · 1d5c5a1d72
commit 1d5c5a1d72
parent d860c26e95
3 changed files with 23 additions and 11 deletions
--- a/configure.ac
+++ b/configure.ac
@ -525,15 +525,28 @@ if test x$cert_enroll = xtrue; then
 fi

 if test x$kdf = xfalse; then
+	openssl_hkdf=false
+	if test x$openssl = xtrue; then
+		AC_MSG_CHECKING(for OpenSSL >= 3.0 for HKDF)
+		AC_COMPILE_IFELSE(
+			[AC_LANG_PROGRAM(
+				[[#include <openssl/opensslv.h>]],
+				[[#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_IS_AWSLC)
+					#error OpenSSL version unusable
+				  #endif]])],
+			[AC_MSG_RESULT([yes]); openssl_hkdf=true],
+			[AC_MSG_RESULT([no])]
+		)
+	fi
 	if test x$aesni = xtrue -o x$cmac = xtrue -o x$xcbc = xtrue; then
 		AC_MSG_WARN(m4_normalize([
 			kdf plugin is required for possible use of PRF_AES128_XCBC/CMAC
 			by one of these plugins: aesni, cmac, xcbc]))
 		kdf=true
-	elif test x$botan = xfalse -a x$openssl = xfalse -a x$wolfssl = xfalse; then
+	elif test x$botan = xfalse -a x$openssl_hkdf = xfalse -a x$wolfssl = xfalse; then
 		AC_MSG_WARN(m4_normalize([
 			kdf plugin is required because none of the following plugins is
-			enabled: botan, openssl, wolfssl]))
+			enabled or usable: botan, openssl, wolfssl]))
 		kdf=true
 	fi
 fi
--- a/scripts/test.sh
+++ b/scripts/test.sh
@ -240,6 +240,9 @@ openssl*)
 		use_custom_openssl $1
 	elif system_uses_openssl3; then
 		prepare_system_openssl $1
+	else
+		# the kdf plugin is necessary to build against older OpenSSL versions
+		TESTS_PLUGINS="$TESTS_PLUGINS kdf"
 	fi
 	;;
 gcrypt)
@ -352,13 +355,6 @@ win*)
 		TARGET=
 	else
 		CONFIG="$CONFIG --enable-openssl"
-		case "$IMG" in
-		2015|2017)
-			# old OpenSSL versions don't provide HKDF
-			CONFIG="$CONFIG --enable-kdf"
-			;;
-		esac
-
 		CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
 		LDFLAGS="-L$OPENSSL_DIR/lib"
 		case "$IMG" in
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@ -496,8 +496,11 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
 #endif
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
-		/* HKDF is available since 1.1.0, expand-only mode only since 1.1.1 */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L || \
+	defined (OPENSSL_IS_AWSLC)
+		/* HKDF is available since 1.1.0, expand-only mode only since 1.1.1,
+		 * but 3.0.0 is required to support larger MODP groups and nonces
+		 * with its 2048 byte buffer size */
 		PLUGIN_REGISTER(KDF, openssl_kdf_create),
 			PLUGIN_PROVIDE(KDF, KDF_PRF),
 			PLUGIN_PROVIDE(KDF, KDF_PRF_PLUS),