sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-03 00:00:24 -04:00
Code Issues Projects Releases Wiki Activity

openssl: Add curve25519 and curve448 after ECDH groups

Browse Source 
This was the order before 46a6b062822c ("openssl: Only announce ECDH
groups actually supported by OpenSSL") but that's not really the reason
for this change.  It's related to the Android app, where we previously
didn't support these DH groups in BoringSSL and added the curve25519
plugin after the openssl plugin instead.  This resulted in the same
order, i.e. ECDH groups before curve25519.  With the switch to OpenSSL
and the mentioned commit, this changed and curve25519 was now the first
group that was proposed and used for the KE payload.  Not really an
issue you'd think, however, there are apparently Zyxel Firewalls with
older firmware versions (some forum posts mentioned a fix in V5.31) that
can't handle KE payloads with DH groups > 21 (ecp521). So with
curve25519 (31) proposed in the KE payload, they silently dropped the
IKE_SA_INIT request and no connection could be established.
This commit is contained in:
Tobias Brunner 2023-02-17 16:28:07 +01:00
parent 4d3fc90caf
commit 312847e1a3
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/libstrongswan/plugins/openssl/openssl_plugin.c
View File

@ -654,13 +654,6 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
#endif
#endif /* OPENSSL_NO_ECDSA */
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_ECDH)
PLUGIN_REGISTER(KE, openssl_x_diffie_hellman_create),
/* available since 1.1.0a, but we require 1.1.1 features */
PLUGIN_PROVIDE(KE, CURVE_25519),
/* available since 1.1.1 */
PLUGIN_PROVIDE(KE, CURVE_448),
#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_ECDH */
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
/* EdDSA private/public key loading */
PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE),
@ -705,6 +698,16 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(KE, ECP_224_BP),
#endif /* OPENSSL_VERSION_NUMBER */
#endif /* OPENSSL_NO_ECDH */
};
static plugin_feature_t f_xdh[] = {
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_ECDH)
/* define them here, so we can add them after the EC DH groups */
PLUGIN_REGISTER(KE, openssl_x_diffie_hellman_create),
/* available since 1.1.0a, but we require 1.1.1 features */
PLUGIN_PROVIDE(KE, CURVE_25519),
/* available since 1.1.1 */
PLUGIN_PROVIDE(KE, CURVE_448),
#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_ECDH */
};
static plugin_feature_t f[countof(f_base) + countof(f_ecdh)] = {};
static int count = 0;
@ -715,6 +718,7 @@ METHOD(plugin_t, get_features, int,
#ifndef OPENSSL_NO_ECDH
add_ecdh_features(f, f_ecdh, countof(f_ecdh), &count);
#endif
plugin_features_add(f, f_xdh, countof(f_xdh), &count);
}
*features = f;
return count;