httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r1515537 - in /httpd/httpd/branches/2.2.x: ./ docs/conf/extra/ docs/manual/mod/ modules/ssl/
Date Mon, 19 Aug 2013 18:04:16 GMT
Author: trawick
Date: Mon Aug 19 18:04:16 2013
New Revision: 1515537

URL: http://svn.apache.org/r1515537
Log:
2 votes in one proposal for 1082189 and 1 vote in another = approval

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
    httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
    httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_util.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Aug 19 18:04:16 2013
@@ -5,6 +5,10 @@ Changes with Apache 2.2.26
      causes security issues in most setups. (The so called "CRIME" attack).
      [Stefan Fritsch]
 
+  *) mod_ssl: enable support for ECC keys and ECDH ciphers.  Tested against
+     OpenSSL 1.0.0b3.  [Vipul Gupta vipul.gupta sun.com, Sander Temme,
+     Stefan Fritsch]
+
   *) mod_ssl: Fix compilation error when OpenSSL does not contain
      support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
      [Rainer Jung, Kaspar Brand]

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Mon Aug 19 18:04:16 2013
@@ -101,16 +101,16 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     trunk: http://svn.apache.org/r1506714
     +1: gstein, wrowe, rpluem
 
-PATCHES PROPOSED TO BACKPORT FROM TRUNK:
-  [ New proposals should be added at the end of the list ]
-
   * mod_ssl: Compare SNI hostname against Host header case-insensitively.
       PR: 49491
       Trunk version of patch:
          http://svn.apache.org/r1082189
       Backport version for 2.2.x of patch:
          Trunk version of patch works
-      +1: rpluem, trawick
+      +1: rpluem, trawick, covener
+
+PATCHES PROPOSED TO BACKPORT FROM TRUNK:
+  [ New proposals should be added at the end of the list ]
 
   * mod_ssl: Support ECC keys
     trunk patch: http://svn.apache.org/r834378 
@@ -124,15 +124,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
                  http://svn.apache.org/r1308862
                  http://svn.apache.org/r1509875
     2.2.x patch: http://people.apache.org/~sf/ECC-2.2-v2.diff
-    +1: sf
-    trawick: Is there any particular reason that the patch doesn't
-             define OPENSSL_NO_EC for older OpenSSL levels and use 
-             that as the feature check, as is done in the 2.4.x 
-             branch?  I guess I can help out with that if it is just
-             a matter of labor.
-    sf: It does (in ssl_toolkit_compat.h where these things are in 2.2).
-        But v1 of the patch lacked one commit to properly use OPENSSL_NO_EC
-        everywhere. Fixed in v2.
+    +1: sf, trawick
 
   * mod_ssl config: Fix range check bug with SSLRenegBufferSize
     trunk patch: http://svn.apache.org/r954641
@@ -142,14 +134,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
     2.2.x patch: trunk patch to ssl_engine_config.c (above) applies with offset
     +1: trawick
 
-  * mod_ssl: compare SNI hostname to Host header case insensitively
-
-    trunk patch: http://svn.apache.org/viewvc?rev=1082189&view=rev
-    2.4.x patch: n/a, fixed before 2.4 branched.
-    2.2.x patch: trunk works
-    +1 covener
-    
-
 PATCHES/ISSUES THAT ARE STALLED
 
   * mod_cache: Realign the cache_quick_handler() to behave identically

Modified: httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in (original)
+++ httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in Mon Aug 19 18:04:16 2013
@@ -114,16 +114,22 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 #   in mind that if you have both an RSA and a DSA certificate you
 #   can configure both in parallel (to also allow the use of DSA
 #   ciphers, etc.)
+#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+#   require an ECC certificate which can also be configured in
+#   parallel.
 SSLCertificateFile "@exp_sysconfdir@/server.crt"
 #SSLCertificateFile "@exp_sysconfdir@/server-dsa.crt"
+#SSLCertificateFile "@exp_sysconfdir@/server-ecc.crt"
 
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
+#   ECC keys, when in use, can also be configured in parallel
 SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
 #SSLCertificateKeyFile "@exp_sysconfdir@/server-dsa.key"
+#SSLCertificateKeyFile "@exp_sysconfdir@/server-ecc.key"
 
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the

Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Mon Aug 19 18:04:16 2013
@@ -188,12 +188,12 @@ query can be done in two ways which can 
     Here an external program is configured which is called at startup for each
     encrypted Private Key file. It is called with two arguments (the first is
     of the form ``<code>servername:portnumber</code>'', the second is either
-    ``<code>RSA</code>'' or ``<code>DSA</code>''), which indicate
for which
-    server and algorithm it has to print the corresponding Pass Phrase to
-    <code>stdout</code>. The intent is that this external program first runs
-    security checks to make sure that the system is not compromised by an
-    attacker, and only when these checks were passed successfully it provides
-    the Pass Phrase.</p>
+    ``<code>RSA</code>'', ``<code>DSA</code>'', or ``<code>ECC</code>''),
which
+    indicate for which server and algorithm it has to print the corresponding
+    Pass Phrase to <code>stdout</code>.  The intent is that this external
+    program first runs security checks to make sure that the system is not
+    compromised by an attacker, and only when these checks were passed
+    successfully it provides the Pass Phrase.</p>
     <p>
     Both these security checks, and the way the Pass Phrase is determined, can
     be as complex as you like. Mod_ssl just defines the interface: an
@@ -761,6 +761,7 @@ SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MED
 <syntax>SSLCertificateFile <em>file-path</em></syntax>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
+<compatibility>ECC support is available in Apache 2.2.26 and later</compatibility>
 
 <usage>
 <p>
@@ -768,8 +769,8 @@ This directive points to the PEM-encoded
 optionally also to the corresponding RSA or DSA Private Key file for it
 (contained in the same file). If the contained Private Key is encrypted the
 Pass Phrase dialog is forced at startup time. This directive can be used up to
-two times (referencing different filenames) when both a RSA and a DSA based
-server certificate is used in parallel.</p>
+three times (referencing different filenames) when both a RSA, a DSA, and an
+ECC based server certificate is used in parallel.</p>
 <example><title>Example</title>
 SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
 </example>
@@ -782,6 +783,7 @@ SSLCertificateFile /usr/local/apache2/co
 <syntax>SSLCertificateKeyFile <em>file-path</em></syntax>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
+<compatibility>ECC support is available in Apache 2.2.26 and later</compatibility>
 
 <usage>
 <p>
@@ -794,8 +796,8 @@ contains both the Certificate and the Pr
 not be used. But we strongly discourage this practice.  Instead we
 recommend you to separate the Certificate and the Private Key. If the
 contained Private Key is encrypted, the Pass Phrase dialog is forced
-at startup time. This directive can be used up to two times
-(referencing different filenames) when both a RSA and a DSA based
+at startup time. This directive can be used up to three times
+(referencing different filenames) when both a RSA, a DSA, and an ECC based
 private key is used in parallel.</p>
 <example><title>Example</title>
 SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key

Modified: httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c Mon Aug 19 18:04:16 2013
@@ -441,6 +441,9 @@ int ssl_init_ssl_connection(conn_rec *c)
      */
     SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
     SSL_set_tmp_dh_callback(ssl,  ssl_callback_TmpDH);
+#ifndef OPENSSL_NO_EC
+    SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH);
+#endif
 
     SSL_set_verify_result(ssl, X509_V_OK);
 

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c Mon Aug 19 18:04:16 2013
@@ -72,6 +72,9 @@ static void ssl_tmp_keys_free(server_rec
 
     MODSSL_TMP_KEYS_FREE(mc, RSA);
     MODSSL_TMP_KEYS_FREE(mc, DH);
+#ifndef OPENSSL_NO_EC
+    MODSSL_TMP_KEY_FREE(mc, EC_KEY, SSL_TMP_KEY_EC_256);
+#endif
 }
 
 static int ssl_tmp_key_init_rsa(server_rec *s,
@@ -133,6 +136,40 @@ static int ssl_tmp_key_init_dh(server_re
     return OK;
 }
 
+#ifndef OPENSSL_NO_EC
+static int ssl_tmp_key_init_ec(server_rec *s,
+                               int bits, int idx)
+{
+    SSLModConfigRec *mc = myModConfig(s);
+    EC_KEY *ecdh = NULL;
+
+    /* XXX: Are there any FIPS constraints we should enforce? */
+
+    if (bits != 256) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                     "Init: Failed to generate temporary "
+                     "%d bit EC parameters, only 256 bits supported", bits);
+        return !OK;
+    }
+
+    if ((ecdh = EC_KEY_new()) == NULL ||
+        EC_KEY_set_group(ecdh, EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) != 1)
+    {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                     "Init: Failed to generate temporary "
+                     "%d bit EC parameters", bits);
+        return !OK;
+    }
+
+    mc->pTmpKeys[idx] = ecdh;
+    return OK;
+}
+
+#define MODSSL_TMP_KEY_INIT_EC(s, bits) \
+    ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits)
+
+#endif
+
 #define MODSSL_TMP_KEY_INIT_RSA(s, bits) \
     ssl_tmp_key_init_rsa(s, bits, SSL_TMP_KEY_RSA_##bits)
 
@@ -157,6 +194,15 @@ static int ssl_tmp_keys_init(server_rec 
         return !OK;
     }
 
+#ifndef OPENSSL_NO_EC
+    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                 "Init: Generating temporary EC parameters (256 bits)");
+
+    if (MODSSL_TMP_KEY_INIT_EC(s, 256)) {
+        return !OK;
+    }
+#endif
+
     return OK;
 }
 
@@ -399,7 +445,11 @@ static void ssl_init_server_check(server
      *  Check for problematic re-initializations
      */
     if (mctx->pks->certs[SSL_AIDX_RSA] ||
-        mctx->pks->certs[SSL_AIDX_DSA])
+        mctx->pks->certs[SSL_AIDX_DSA]
+#ifndef OPENSSL_NO_EC
+      || mctx->pks->certs[SSL_AIDX_ECC]
+#endif
+        )
     {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Illegal attempt to re-initialise SSL for server "
@@ -599,6 +649,9 @@ static void ssl_init_ctx_callbacks(serve
 
     SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
+#ifndef OPENSSL_NO_EC
+    SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH);
+#endif
 
     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
 }
@@ -866,9 +919,16 @@ static int ssl_server_import_key(server_
     ssl_asn1_t *asn1;
     MODSSL_D2I_PrivateKey_CONST unsigned char *ptr;
     const char *type = ssl_asn1_keystr(idx);
-    int pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
+    int pkey_type;
     EVP_PKEY *pkey;
 
+#ifndef OPENSSL_NO_EC
+    if (idx == SSL_AIDX_ECC)
+      pkey_type = EVP_PKEY_EC;
+    else
+#endif /* SSL_LIBRARY_VERSION */
+    pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
+
     if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
         return FALSE;
     }
@@ -978,20 +1038,34 @@ static void ssl_init_server_certs(server
                                   apr_pool_t *ptemp,
                                   modssl_ctx_t *mctx)
 {
-    const char *rsa_id, *dsa_id;
+    const char *rsa_id, *dsa_id, *ecc_id;
     const char *vhost_id = mctx->sc->vhost_id;
     int i;
-    int have_rsa, have_dsa;
+    int have_rsa, have_dsa, have_ecc;
 
     rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
     dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
+#ifndef OPENSSL_NO_EC
+    ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
+#endif
 
     have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
     have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
+#ifndef OPENSSL_NO_EC
+    have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
+#endif
 
-    if (!(have_rsa || have_dsa)) {
+    if (!(have_rsa || have_dsa
+#ifndef OPENSSL_NO_EC
+        || have_ecc
+#endif
+)) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+#ifndef OPENSSL_NO_EC
+                "Oops, no RSA, DSA or ECC server certificate found "
+#else
                 "Oops, no RSA or DSA server certificate found "
+#endif
                 "for '%s:%d'?!", s->server_hostname, s->port);
         ssl_die();
     }
@@ -1002,10 +1076,21 @@ static void ssl_init_server_certs(server
 
     have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
     have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
+#if SSL_LIBRARY_VERSION >= 0x00908000
+    have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
+#endif
 
-    if (!(have_rsa || have_dsa)) {
+    if (!(have_rsa || have_dsa
+#if SSL_LIBRARY_VERSION >= 0x00908000
+        || have_ecc
+#endif
+          )) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+#if SSL_LIBRARY_VERSION >= 0x00908000
+                "Oops, no RSA, DSA or ECC server private key found?!");
+#else
                 "Oops, no RSA or DSA server private key found?!");
+#endif
         ssl_die();
     }
 }

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c Mon Aug 19 18:04:16 2013
@@ -1267,6 +1267,27 @@ DH *ssl_callback_TmpDH(SSL *ssl, int exp
     return (DH *)mc->pTmpKeys[idx];
 }
 
+#ifndef OPENSSL_NO_EC
+EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen)
+{
+    conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
+    SSLModConfigRec *mc = myModConfigFromConn(c);
+    int idx;
+
+    /* XXX Uses 256-bit key for now. TODO: support other sizes. */
+    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+                  "handing out temporary 256 bit ECC key");
+
+    switch (keylen) {
+      case 256:
+      default:
+        idx = SSL_TMP_KEY_EC_256;
+    }
+
+    return (EC_KEY *)mc->pTmpKeys[idx];
+}
+#endif
+
 /*
  * This OpenSSL callback function is called when OpenSSL
  * does client authentication and verifies the certificate chain.

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h Mon Aug 19 18:04:16 2013
@@ -191,11 +191,21 @@ typedef int ssl_algo_t;
 #define SSL_ALGO_UNKNOWN (0)
 #define SSL_ALGO_RSA     (1<<0)
 #define SSL_ALGO_DSA     (1<<1)
+#ifndef OPENSSL_NO_EC
+#define SSL_ALGO_ECC     (1<<2)
+#define SSL_ALGO_ALL     (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
+#else
 #define SSL_ALGO_ALL     (SSL_ALGO_RSA|SSL_ALGO_DSA)
+#endif /* SSL_LIBRARY_VERSION */
 
 #define SSL_AIDX_RSA     (0)
 #define SSL_AIDX_DSA     (1)
+#ifndef OPENSSL_NO_EC
+#define SSL_AIDX_ECC     (2)
+#define SSL_AIDX_MAX     (3)
+#else
 #define SSL_AIDX_MAX     (2)
+#endif /* SSL_LIBRARY_VERSION */
 
 
 /**
@@ -206,7 +216,12 @@ typedef int ssl_algo_t;
 #define SSL_TMP_KEY_RSA_1024 (1)
 #define SSL_TMP_KEY_DH_512   (2)
 #define SSL_TMP_KEY_DH_1024  (3)
+#ifndef OPENSSL_NO_EC
+#define SSL_TMP_KEY_EC_256   (4)
+#define SSL_TMP_KEY_MAX      (5)
+#else
 #define SSL_TMP_KEY_MAX      (4)
+#endif
 
 /**
  * Define the SSL options
@@ -625,6 +640,9 @@ void         ssl_hook_ConfigTest(apr_poo
 /**  OpenSSL callbacks */
 RSA         *ssl_callback_TmpRSA(SSL *, int, int);
 DH          *ssl_callback_TmpDH(SSL *, int, int);
+#ifndef OPENSSL_NO_EC
+EC_KEY      *ssl_callback_TmpECDH(SSL *, int, int);
+#endif /* SSL_LIBRARY_VERSION */
 int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
 int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
 int          ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY
**pkey);

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h Mon Aug 19 18:04:16 2013
@@ -38,6 +38,12 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+
+/* ECC support came along in OpenSSL 1.0.0 */
+#if (OPENSSL_VERSION_NUMBER < 0x10000000)
+#define OPENSSL_NO_EC
+#endif
+
 /** Avoid tripping over an engine build installed globally and detected
  * when the user points at an explicit non-engine flavor of OpenSSL
  */

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_util.c?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_util.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_util.c Mon Aug 19 18:04:16 2013
@@ -150,6 +150,11 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe
             case EVP_PKEY_DSA:
                 t = SSL_ALGO_DSA;
                 break;
+#ifndef OPENSSL_NO_EC
+            case EVP_PKEY_EC:
+                t = SSL_ALGO_ECC;
+                break;
+#endif 
             default:
                 break;
         }
@@ -174,6 +179,11 @@ char *ssl_util_algotypestr(ssl_algo_t t)
         case SSL_ALGO_DSA:
             cp = "DSA";
             break;
+#ifndef OPENSSL_NO_EC
+        case SSL_ALGO_ECC:
+            cp = "ECC";
+            break;
+#endif
         default:
             break;
     }
@@ -245,7 +255,11 @@ void ssl_asn1_table_unset(apr_hash_t *ta
     apr_hash_set(table, key, klen, NULL);
 }
 
+#ifndef OPENSSL_NO_EC
+static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"};
+#else
 static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};
+#endif
 
 const char *ssl_asn1_keystr(int keytype)
 {



Mime
View raw message