]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
projects / thirdparty / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ab19f69)
openssl: Check that EC keys don't have explicit params for internally loaded keys
authorTobias Brunner <tobias@strongswan.org>
Mon, 18 May 2026 12:45:38 +0000 (14:45 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 May 2026 15:27:33 +0000 (17:27 +0200)
Keys loaded via generic loader (KEY_ANY) or from a PKCS#12 file (or an
engine) don't go through the openssl_ec_private_key_load() constructor
that checks for explicit parameters.

src/libstrongswan/plugins/openssl/openssl_ec_private_key.c patch | blob | blame | history

diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 21df4c035a6149c7c2700b383eafcca134096b4f..9f9319024b373650ed109c807aea9d25a92bd5b7 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -319,7 +319,8 @@ private_key_t *openssl_ec_private_key_create(EVP_PKEY *key, bool engine)
 {
        private_openssl_ec_private_key_t *this;
 
-       if (EVP_PKEY_base_id(key) != EVP_PKEY_EC)
+       if (EVP_PKEY_base_id(key) != EVP_PKEY_EC ||
+               openssl_check_explicit_params(key))
        {
                EVP_PKEY_free(key);
                return NULL;
Unnamed repository; edit this file 'description' to name the repository.