wolfssl: Reject EC keys with explicitly encoded parameters

These are not allowed in X.509 certificates according to RFC 5480 and
some newer validations apparently explicitly check for this.

Note that WolfSSL rejects such keys, by default.  Only when compiled with
WOLFSSL_NO_ASN_STRICT are they accepted.

diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_private_key.c b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_private_key.c
index a08cc17e39be109732eb822acd4b64eb4d942c24..addd3bda2a8dcd083e8ab54aff24cdd3e03d331f 100644 (file)
--- a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_private_key.c
@@ -449,7 +449,8 @@ wolfssl_ec_private_key_t *wolfssl_ec_private_key_load(key_type_t type,
        }
 
        idx = 0;
-       if (wc_EccPrivateKeyDecode(key.ptr, &idx, &this->ec, key.len) < 0)
+       if (wc_EccPrivateKeyDecode(key.ptr, &idx, &this->ec, key.len) < 0 ||
+               this->ec.idx == -1)
        {
                destroy(this);
                return NULL;

diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c
index 97abe950b91f5f01d574d5f35a7c79e41b4be99f..58fd6edede17e90d619377bc96db669c5e20c4eb 100644 (file)
--- a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c
@@ -378,7 +378,7 @@ wolfssl_ec_public_key_t *wolfssl_ec_public_key_load(key_type_t type,
 
        idx = 0;
        ret = wc_EccPublicKeyDecode(blob.ptr, &idx, &this->ec, blob.len);
-       if (ret < 0)
+       if (ret < 0 || this->ec.idx == -1)
        {
                destroy(this);
                return NULL;