Adding support in confread.c and defining policy.

Adding support in PUBKEY_ALG_EDDSA.

include/ietf_constants.h

@@ -1658,6 +1658,7 @@ enum pubkey_alg {
 	PUBKEY_ALG_DSA = 1,
 	PUBKEY_ALG_RSA = 2,
 	PUBKEY_ALG_ECDSA = 3,
+	PUBKEY_ALG_EDDSA = 4,
 };
 
 /*

include/pluto_constants.h

@@ -845,6 +845,7 @@ enum sa_policy_bits {
 	POLICY_PSK_IX = 0,
 	POLICY_RSASIG_IX = 1,
 	POLICY_ECDSA_IX = 2,
+	POLICY_EDDSA_IX = 3,
 	POLICY_AUTH_NEVER_IX,
 	POLICY_AUTH_NULL_IX,
 
@@ -931,6 +932,7 @@ enum sa_policy_bits {
 #define POLICY_PSK	LELEM(POLICY_PSK_IX)
 #define POLICY_RSASIG	LELEM(POLICY_RSASIG_IX)
 #define POLICY_ECDSA   LELEM(POLICY_ECDSA_IX)
+#define POLICY_EDDSA   LELEM(POLICY_EDDSA_IX)
 #define POLICY_AUTH_NEVER	LELEM(POLICY_AUTH_NEVER_IX)
 #define POLICY_AUTH_NULL LELEM(POLICY_AUTH_NULL_IX)
 #define POLICY_ENCRYPT	LELEM(POLICY_ENCRYPT_IX)	/* must be first of IPSEC policies */

include/secrets.h

@@ -167,6 +167,7 @@ struct pubkey_type {
 
 extern const struct pubkey_type pubkey_type_rsa;
 extern const struct pubkey_type pubkey_type_ecdsa;
+extern const struct pubkey_type pubkey_type_eddsa;
 
 const struct pubkey_type *pubkey_alg_type(enum pubkey_alg alg);
 

lib/libipsecconf/confread.c

@@ -179,7 +179,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
 	d->ike_version = IKEv2;
 	d->policy =
 		POLICY_TUNNEL |
-		POLICY_ECDSA | POLICY_RSASIG | POLICY_RSASIG_v1_5 | /* authby= */
+		POLICY_ECDSA | POLICY_EDDSA | POLICY_RSASIG | POLICY_RSASIG_v1_5 | /* authby= */
 		POLICY_ENCRYPT | POLICY_PFS |
 		POLICY_IKE_FRAG_ALLOW |      /* ike_frag=yes */
 		POLICY_ESN_NO;      	     /* esn=no */
@@ -1494,6 +1494,9 @@ static bool load_conn(struct starter_conn *conn,
 			} else if (streq(val, "ecdsa-sha1")) {
 				starter_error_append(perrl, "authby=ecdsa cannot use sha1, only sha2");
 				return TRUE;
+			} else if (streq(val, "eddsa") || streq(val, "eddsa-identity")) {
+				conn->policy |= POLICY_EDDSA;
+				conn->sighash_policy |= POL_SIGHASH_IDENTITY;
 			} else {
 				starter_error_append(perrl, "connection authby= value is unknown");
 				return TRUE;

lib/libswan/Makefile

@@ -38,6 +38,7 @@ include $(top_srcdir)/mk/config.mk
 LIB = libswan.a
 
 OBJS += x509dn.o asn1.o oid.o
+USERLAND_LDFLAGS += $(NSS_UTIL_LDFLAGS)
 
 OBJS += constants.o \
 	id.o \

lib/libswan/secrets.c

@@ -42,6 +42,12 @@
 #include <cert.h>
 #include <cryptohi.h>
 #include <keyhi.h>
+#include <secport.h>
+#include <prinit.h>
+#include <prmem.h>
+#include <keythi.h>
+#include <seccomon.h>
+#include <secerr.h>
 
 #include "lswglob.h"
 #include "sysdep.h"
@@ -79,6 +85,39 @@
  * @return err_t
  */
 
+ ECPointEncoding pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey);
+ ECPointEncoding
+  pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey)
+  {
+      SECItem oid;
+      SECStatus rv;
+      PORTCheapArenaPool tmpArena;
+      ECPointEncoding encoding = ECPoint_Undefined;
+
+      PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+
+      /* decode the OID tag */
+      rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid,
+                                  SEC_ASN1_GET(SEC_ObjectIDTemplate),
+                                  &pubKey->u.ec.DEREncodedParams);
+      if (rv == SECSuccess) {
+          SECOidTag tag = SECOID_FindOIDTag(&oid);
+          switch (tag) {
+              case SEC_OID_CURVE25519:
+                  encoding = ECPoint_XOnly;
+                  break;
+              case SEC_OID_SECG_EC_SECP256R1:
+              case SEC_OID_SECG_EC_SECP384R1:
+              case SEC_OID_SECG_EC_SECP521R1:
+              default:
+                  /* unknown curve, default to uncompressed */
+                  encoding = ECPoint_Uncompressed;
+          }
+      }
+      PORT_DestroyCheapArena(&tmpArena);
+      return encoding;
+  }
+
 static err_t builddiag(const char *fmt, ...) PRINTF_LIKE(1);	/* NOT RE-ENTRANT */
 static err_t builddiag(const char *fmt, ...)
 {
@@ -430,7 +469,7 @@ static err_t EC_secret_sane(struct private_key_stuff *pks_unused UNUSED)
 	return NULL;
 }
 
-static struct hash_signature ECDSA_sign_hash(const struct private_key_stuff *pks,
+static struct hash_signature EC_sign_hash(const struct private_key_stuff *pks,
 					     const uint8_t *hash_val, size_t hash_len,
 					     const struct hash_desc *hash_algo_unused UNUSED,
 					     struct logger *logger)
@@ -500,15 +539,30 @@ const struct pubkey_type pubkey_type_ecdsa = {
 	.extract_private_key_pubkey_content = EC_extract_private_key_pubkey_content,
 	.free_secret_content = EC_free_secret_content,
 	.secret_sane = EC_secret_sane,
-	.sign_hash = ECDSA_sign_hash,
+	.sign_hash = EC_sign_hash,
 	.extract_pubkey_content = EC_extract_pubkey_content,
 };
 
+const struct pubkey_type pubkey_type_eddsa = {
+	.alg = PUBKEY_ALG_EDDSA,
+	.name = "EDDSA",
+	.private_key_kind = PKK_EC,
+	.unpack_pubkey_content = EC_unpack_pubkey_content,
+	.free_pubkey_content = EC_free_pubkey_content,
+	.extract_private_key_pubkey_content = EC_extract_private_key_pubkey_content,
+	.free_secret_content = EC_free_secret_content,
+	.secret_sane = EC_secret_sane,
+	.sign_hash = EC_sign_hash,
+	.extract_pubkey_content = EC_extract_pubkey_content,
+};
+
+
 const struct pubkey_type *pubkey_alg_type(enum pubkey_alg alg)
 {
 	static const struct pubkey_type *pubkey_types[] = {
 		[PUBKEY_ALG_RSA] = &pubkey_type_rsa,
 		[PUBKEY_ALG_ECDSA] = &pubkey_type_ecdsa,
+		[PUBKEY_ALG_EDDSA] = &pubkey_type_eddsa,
 	};
 	passert(alg < elemsof(pubkey_types));
 	const struct pubkey_type *type = pubkey_types[alg];
@@ -527,6 +581,7 @@ const keyid_t *pubkey_keyid(const struct pubkey *pk)
 	switch (pk->type->alg) {
 	case PUBKEY_ALG_RSA:
 	case PUBKEY_ALG_ECDSA:
+	case PUBKEY_ALG_EDDSA:
 		return &pk->keyid;
 	default:
 		bad_case(pk->type->alg);
@@ -554,6 +609,7 @@ const keyid_t *secret_keyid(const struct secret *secret)
 		switch (secret->pks.pubkey_type->alg) {
 		case PUBKEY_ALG_RSA:
 		case PUBKEY_ALG_ECDSA:
+		case PUBKEY_ALG_EDDSA:
 			return &secret->pks.keyid;
 		default:
 			bad_case(secret->pks.pubkey_type->alg);
@@ -568,6 +624,7 @@ unsigned pubkey_size(const struct pubkey *pk)
 	switch (pk->type->alg) {
 	case PUBKEY_ALG_RSA:
 	case PUBKEY_ALG_ECDSA:
+	case PUBKEY_ALG_EDDSA:
 		return pk->size;
 	default:
 		bad_case(pk->type->alg);
@@ -1703,7 +1760,10 @@ static const struct pubkey_type *pubkey_type_nss(SECKEYPublicKey *pubk)
 	case rsaKey:
 		return &pubkey_type_rsa;
 	case ecKey:
-		return &pubkey_type_ecdsa;
+	    if (pk11_ECGetPubkeyEncoding(pubk) == ECPoint_XOnly)
+            return &pubkey_type_eddsa;
+        else
+            return &pubkey_type_ecdsa;
 	default:
 		return NULL;
 	}
@@ -1716,7 +1776,13 @@ static const struct pubkey_type *private_key_type_nss(SECKEYPrivateKey *private_
 	case rsaKey:
 		return &pubkey_type_rsa;
 	case ecKey:
-		return &pubkey_type_ecdsa;
+	    SECKEYPublicKey *pubk = SECKEY_ConvertToPublicKey(private_key);
+	    if(pubk == NULL)
+	        return NULL;
+	    if (pk11_ECGetPubkeyEncoding(pubk) == ECPoint_XOnly)
+	        return &pubkey_type_eddsa;
+	    else
+	        return &pubkey_type_ecdsa;
 	default:
 		return NULL;
 	}

programs/pluto/Makefile

@@ -53,6 +53,7 @@ OBJS += send.o
 ifeq ($(USE_IKEv1),true)
 OBJS += ikev1_send.o
 endif
+USERLAND_LDFLAGS += $(NSS_UTIL_LDFLAGS)
 
 OBJS += unpack.o
 OBJS += impair_message.o

programs/showhostkey/Makefile

@@ -19,6 +19,7 @@ OBJS += $(LIBRESWANLIB)
 OBJS += $(LSWTOOLLIBS)
 USERLAND_LDFLAGS += $(NSS_LDFLAGS)
 USERLAND_LDFLAGS += $(NSPR_LDFLAGS)
+USERLAND_LDFLAGS += $(NSS_UTIL_LDFLAGS)
 
 ifdef top_srcdir
 include $(top_srcdir)/mk/program.mk