openssl: Add support for Ed25519 via AWS-LC

author Tobias Brunner <tobias@strongswan.org>

Fri, 8 Aug 2025 15:17:12 +0000 (17:17 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Thu, 21 Aug 2025 14:44:01 +0000 (16:44 +0200)
author Tobias Brunner <tobias@strongswan.org>
Fri, 8 Aug 2025 15:17:12 +0000 (17:17 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Thu, 21 Aug 2025 14:44:01 +0000 (16:44 +0200)
diff --git a/.github/active-transforms/openssl-awslc b/.github/active-transforms/openssl-awslc

index 85a7f4385c931c08de0b139a6f1f71d3455212d9..b54be9ebc9931db1ba02ea9eb849d1c42273208c 100644 (file)
--- a/.github/active-transforms/openssl-awslc
+++ b/.github/active-transforms/openssl-awslc
@@ -56,6 +56,7 @@ HASH_SHA3_224[openssl]
  HASH_SHA3_256[openssl]
  HASH_SHA3_384[openssl]
  HASH_SHA3_512[openssl]
+HASH_IDENTITY[openssl]
  PRF_KEYED_SHA1[openssl]
  PRF_HMAC_MD5[openssl]
  PRF_HMAC_SHA1[openssl]
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c

index e8d900d94a5de3012c98ef8f821f64182f61dd34..39968f77631191cbca83ad1cc997efe90d1efc53 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018-2025 Tobias Brunner
   *
   * Copyright (C) secunet Security Networks AG
   *
@@ -18,6 +18,10 @@
  
  #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
  
+#ifdef OPENSSL_IS_AWSLC
+#include <openssl/x509.h>
+#endif
+
  #include "openssl_ed_private_key.h"
  #include "openssl_util.h"
  
@@ -170,7 +174,17 @@ METHOD(private_key_t, get_encoding, bool,
                 {
                         bool success = TRUE;
  
+#ifndef OPENSSL_IS_AWSLC
                         *encoding = openssl_i2chunk(PrivateKey, this->key);
+#else
+                       /* AWS-LC currently doesn't implement i2d_PrivateKey for EdDSA */
+                       PKCS8_PRIV_KEY_INFO *p8 = EVP_PKEY2PKCS8(this->key);
+                       if (p8)
+                       {
+                               *encoding = openssl_i2chunk(PKCS8_PRIV_KEY_INFO, p8);
+                               PKCS8_PRIV_KEY_INFO_free(p8);
+                       }
+#endif
  
                         if (type == PRIVKEY_PEM)
                         {
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c

index 2ee4d4569f6ec782933809b0d5a5d2c8beddc0ec..67f888c19a0a0d5076c4f295940ee0bff85c76ea 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -645,22 +645,29 @@ METHOD(plugin_t, get_features, int,
                 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
  #endif
  #endif /* OPENSSL_NO_ECDSA */
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) && \
-       !defined(OPENSSL_IS_AWSLC)
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
                 /* EdDSA private/public key loading */
                 PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE),
                         PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+#ifndef OPENSSL_IS_AWSLC
                         PLUGIN_PROVIDE(PUBKEY, KEY_ED448),
+#endif
                 PLUGIN_REGISTER(PRIVKEY, openssl_ed_private_key_load, TRUE),
                         PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+#ifndef OPENSSL_IS_AWSLC
                         PLUGIN_PROVIDE(PRIVKEY, KEY_ED448),
+#endif
                 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ed_private_key_gen, FALSE),
                         PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
+#ifndef OPENSSL_IS_AWSLC
                         PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED448),
+#endif
                 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
-               PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
                 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
+#ifndef OPENSSL_IS_AWSLC
+               PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
                 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED448),
+#endif
                 /* register a pro forma identity hasher, never instantiated */
                 PLUGIN_REGISTER(HASHER, return_null),
                         PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c

index 43bf2a752b48a33d747aeb47d506ddb0edd35e45..e42403ffbc9b579a09a66c64be6eabe43d94140e 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -157,11 +157,12 @@ private_key_t *openssl_wrap_private_key(EVP_PKEY *key, bool engine)
                         case EVP_PKEY_EC:
                                 return openssl_ec_private_key_create(key, engine);
  #endif
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) && \
-!defined(OPENSSL_IS_AWSLC)
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
                         case EVP_PKEY_ED25519:
+#ifndef OPENSSL_IS_AWSLC
                         case EVP_PKEY_ED448:
-                               return openssl_ed_private_key_create(key, engine);
+#endif
+                               return openssl_ed_private_key_create(key, FALSE);
  #endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC && !OPENSSL_IS_AWSLC */
                         default:
                                 EVP_PKEY_free(key);
author	Tobias Brunner <tobias@strongswan.org>
	Fri, 8 Aug 2025 15:17:12 +0000 (17:17 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Thu, 21 Aug 2025 14:44:01 +0000 (16:44 +0200)
.github/active-transforms/openssl-awslc		patch \| blob \| blame \| history
src/libstrongswan/plugins/openssl/openssl_ed_private_key.c		patch \| blob \| blame \| history
src/libstrongswan/plugins/openssl/openssl_plugin.c		patch \| blob \| blame \| history
src/libstrongswan/plugins/openssl/openssl_util.c		patch \| blob \| blame \| history