From 052a93955332723f3b31d7c07a2eb300bfd8ddba Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 8 Aug 2025 17:17:12 +0200
Subject: [PATCH] openssl: Add support for Ed25519 via AWS-LC

---
 .github/active-transforms/openssl-awslc          |  1 +
 .../plugins/openssl/openssl_ed_private_key.c     | 16 +++++++++++++++-
 .../plugins/openssl/openssl_plugin.c             | 13 ++++++++++---
 src/libstrongswan/plugins/openssl/openssl_util.c |  7 ++++---
 4 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/.github/active-transforms/openssl-awslc b/.github/active-transforms/openssl-awslc
index 85a7f4385c..b54be9ebc9 100644
--- a/.github/active-transforms/openssl-awslc
+++ b/.github/active-transforms/openssl-awslc
@@ -56,6 +56,7 @@ HASH_SHA3_224[openssl]
 HASH_SHA3_256[openssl]
 HASH_SHA3_384[openssl]
 HASH_SHA3_512[openssl]
+HASH_IDENTITY[openssl]
 PRF_KEYED_SHA1[openssl]
 PRF_HMAC_MD5[openssl]
 PRF_HMAC_SHA1[openssl]
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
index e8d900d94a..39968f7763 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018-2025 Tobias Brunner
  *
  * Copyright (C) secunet Security Networks AG
  *
@@ -18,6 +18,10 @@
 
 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
 
+#ifdef OPENSSL_IS_AWSLC
+#include <openssl/x509.h>
+#endif
+
 #include "openssl_ed_private_key.h"
 #include "openssl_util.h"
 
@@ -170,7 +174,17 @@ METHOD(private_key_t, get_encoding, bool,
 		{
 			bool success = TRUE;
 
+#ifndef OPENSSL_IS_AWSLC
 			*encoding = openssl_i2chunk(PrivateKey, this->key);
+#else
+			/* AWS-LC currently doesn't implement i2d_PrivateKey for EdDSA */
+			PKCS8_PRIV_KEY_INFO *p8 = EVP_PKEY2PKCS8(this->key);
+			if (p8)
+			{
+				*encoding = openssl_i2chunk(PKCS8_PRIV_KEY_INFO, p8);
+				PKCS8_PRIV_KEY_INFO_free(p8);
+			}
+#endif
 
 			if (type == PRIVKEY_PEM)
 			{
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 2ee4d4569f..67f888c19a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -645,22 +645,29 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
 #endif
 #endif /* OPENSSL_NO_ECDSA */
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) && \
-	!defined(OPENSSL_IS_AWSLC)
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
 		/* EdDSA private/public key loading */
 		PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+#ifndef OPENSSL_IS_AWSLC
 			PLUGIN_PROVIDE(PUBKEY, KEY_ED448),
+#endif
 		PLUGIN_REGISTER(PRIVKEY, openssl_ed_private_key_load, TRUE),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+#ifndef OPENSSL_IS_AWSLC
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ED448),
+#endif
 		PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ed_private_key_gen, FALSE),
 			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
+#ifndef OPENSSL_IS_AWSLC
 			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED448),
+#endif
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
+#ifndef OPENSSL_IS_AWSLC
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED448),
+#endif
 		/* register a pro forma identity hasher, never instantiated */
 		PLUGIN_REGISTER(HASHER, return_null),
 			PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index 43bf2a752b..e42403ffbc 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -157,11 +157,12 @@ private_key_t *openssl_wrap_private_key(EVP_PKEY *key, bool engine)
 			case EVP_PKEY_EC:
 				return openssl_ec_private_key_create(key, engine);
 #endif
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) && \
-!defined(OPENSSL_IS_AWSLC)
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
 			case EVP_PKEY_ED25519:
+#ifndef OPENSSL_IS_AWSLC
 			case EVP_PKEY_ED448:
-				return openssl_ed_private_key_create(key, engine);
+#endif
+				return openssl_ed_private_key_create(key, FALSE);
 #endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC && !OPENSSL_IS_AWSLC */
 			default:
 				EVP_PKEY_free(key);
-- 
2.47.3