sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-03 00:00:24 -04:00
Code Issues Projects Releases Wiki Activity

openssl: Condition out unsupported curves for AWS-LC

Browse Source 
AWS-LC lacks support for a number of elliptic curve algorithms so this
adds some conditional macros to avoid registering the related plugin
features. Support for curves ed448 and x448 is completely absent and are
not planned for implementation as they are no longer recommended for use.
While ed25519 is supported by the library, a single missing API for
ASN.1 DER encoding of its private keys is missing which prevents its
use in strongSwan. Future work may remove this limitation, but for now
we will disable the functionality.

Closes strongswan/strongswan#2109
This commit is contained in:
Gerardo Ravago 2024-02-20 11:54:01 -05:00 committed by Tobias Brunner
parent 7f1ba3cc68
commit e56b597af1
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/libstrongswan/plugins/openssl/openssl_plugin.c
View File

@ -301,11 +301,12 @@ static private_key_t *openssl_private_key_load(key_type_t type, va_list args)
case EVP_PKEY_EC:
return openssl_ec_private_key_create(key, FALSE);
#endif
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) && \
!defined(OPENSSL_IS_AWSLC)
case EVP_PKEY_ED25519:
case EVP_PKEY_ED448:
return openssl_ed_private_key_create(key, FALSE);
#endif /* OPENSSL_VERSION_NUMBER */
#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC && !OPENSSL_IS_AWSLC */
default:
EVP_PKEY_free(key);
break;
@ -654,7 +655,8 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
#endif
#endif /* OPENSSL_NO_ECDSA */
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) && \
!defined(OPENSSL_IS_AWSLC)
/* EdDSA private/public key loading */
PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE),
PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
@ -672,7 +674,7 @@ METHOD(plugin_t, get_features, int,
/* register a pro forma identity hasher, never instantiated */
PLUGIN_REGISTER(HASHER, return_null),
PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC */
#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC && !OPENSSL_IS_AWSLC */
/* generic key loader */
PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE),
PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
@ -705,8 +707,10 @@ METHOD(plugin_t, get_features, int,
PLUGIN_REGISTER(KE, openssl_x_diffie_hellman_create),
/* available since 1.1.0a, but we require 1.1.1 features */
PLUGIN_PROVIDE(KE, CURVE_25519),
#ifndef OPENSSL_IS_AWSLC
/* available since 1.1.1 */
PLUGIN_PROVIDE(KE, CURVE_448),
#endif /* OPENSSL_IS_AWSLC */
#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_ECDH */
};
static plugin_feature_t f[countof(f_base) + countof(f_ecdh) + countof(f_xdh)] = {};