From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 13 Oct 2023 07:10:56 +0000 (+0200)
Subject: Merge branch 'reject-explicit-ecdsa'
X-Git-Tag: 5.9.12dr2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5760243870d4ab6c5874d765f8b09b3c67b8fc6;p=thirdparty%2Fstrongswan.git

Merge branch 'reject-explicit-ecdsa'

There is a relatively recent NIAP requirement to reject certificates with
ECDSA keys that explicitly encode the curve parameters (TD0527, Test 8b).

Since explicit encoding is pretty rare (if used at all and e.g. wolfSSL
already rejects it, by default), we should follow that requirement and
just reject such keys/certificates completely.

This currently can be enforced in all crypto plugins except when using
older versions of OpenSSL (< 1.1.1h) and Botan (< 3.2.0).

Closes strongswan/strongswan#1949
References strongswan/strongswan#1796
---

b5760243870d4ab6c5874d765f8b09b3c67b8fc6