httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: svn commit: r834378 - in /httpd/httpd/trunk: CHANGES docs/conf/extra/httpd-ssl.conf.in modules/ssl/mod_ssl.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h modules/ssl/ssl_toolkit_compat.h modules/ssl/ssl_util.c
Date Tue, 10 Nov 2009 16:28:54 GMT
On Tue, 10 Nov 2009, sctemme@apache.org wrote:

> Author: sctemme
> Date: Tue Nov 10 07:55:13 2009
> New Revision: 834378
>
> URL: http://svn.apache.org/viewvc?rev=834378&view=rev
> Log:
> enable support for ECC keys and ECDH ciphers.  Tested against
> OpenSSL 1.0.0b3.  [Vipul Gupta vipul.gupta sun.com, Sander Temme]
>
> Modified:
>    httpd/httpd/trunk/CHANGES
>    httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
>    httpd/httpd/trunk/modules/ssl/mod_ssl.c
>    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
>    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>    httpd/httpd/trunk/modules/ssl/ssl_private.h
>    httpd/httpd/trunk/modules/ssl/ssl_toolkit_compat.h
>    httpd/httpd/trunk/modules/ssl/ssl_util.c
>




> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=834378&r1=834377&r2=834378&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Tue Nov 10 07:55:13 2009
> @@ -356,7 +356,11 @@
>      *  Check for problematic re-initializations
>      */
>     if (mctx->pks->certs[SSL_AIDX_RSA] ||
> -        mctx->pks->certs[SSL_AIDX_DSA])
> +        mctx->pks->certs[SSL_AIDX_DSA]
> +#ifndef OPENSSL_NO_EC
> +      || mctx->pks->certs[SSL_AIDX_ECC]
> +#endif
> +        )
>     {
>         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
>                 "Illegal attempt to re-initialise SSL for server "
> @@ -519,6 +523,9 @@
>
>     SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
>     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
> +#ifndef OPENSSL_NO_EC
> +    SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH);
> +#endif
>
>     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
> }
> @@ -810,9 +817,16 @@
>     ssl_asn1_t *asn1;
>     MODSSL_D2I_PrivateKey_CONST unsigned char *ptr;
>     const char *type = ssl_asn1_keystr(idx);
> -    int pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
> +    int pkey_type;
>     EVP_PKEY *pkey;
>
> +#ifndef OPENSSL_NO_EC
> +    if (idx == SSL_AIDX_ECC)
> +      pkey_type = EVP_PKEY_EC;
> +    else
> +#endif /* SSL_LIBRARY_VERSION */
> +    pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
> +
>     if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
>         return FALSE;
>     }
> @@ -922,20 +936,34 @@
>                                   apr_pool_t *ptemp,
>                                   modssl_ctx_t *mctx)
> {
> -    const char *rsa_id, *dsa_id;
> +    const char *rsa_id, *dsa_id, *ecc_id;
>     const char *vhost_id = mctx->sc->vhost_id;
>     int i;
> -    int have_rsa, have_dsa;
> +    int have_rsa, have_dsa, have_ecc;

have_ecc and ecc_ic should be inside #ifndef OPENSSL_NO_EC
  to avoid compiler warnings about unused variables.

>
>     rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
>     dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
> +#ifndef OPENSSL_NO_EC
> +    ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
> +#endif
>
>     have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
>     have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
> +#ifndef OPENSSL_NO_EC
> +    have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
> +#endif
>
> -    if (!(have_rsa || have_dsa)) {
> +    if (!(have_rsa || have_dsa
> +#ifndef OPENSSL_NO_EC
> +        || have_ecc
> +#endif
> +)) {
>         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
> +#ifndef OPENSSL_NO_EC
> +                "Oops, no RSA, DSA or ECC server certificate found "
> +#else
>                 "Oops, no RSA or DSA server certificate found "
> +#endif
>                 "for '%s:%d'?!", s->server_hostname, s->port);
>         ssl_die();
>     }

The next four #ifs should be #ifndef OPENSSL_NO_EC. They break compilation 
with openssl 0.9.8.

> @@ -946,10 +974,21 @@
>
>     have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
>     have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
> +#if SSL_LIBRARY_VERSION >= 0x00908000
> +    have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
> +#endif
>
> -    if (!(have_rsa || have_dsa)) {
> +    if (!(have_rsa || have_dsa
> +#if SSL_LIBRARY_VERSION >= 0x00908000
> +        || have_ecc
> +#endif
> +          )) {
>         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
> +#if SSL_LIBRARY_VERSION >= 0x00908000
> +                "Oops, no RSA, DSA or ECC server private key found?!");
> +#else
>                 "Oops, no RSA or DSA server private key found?!");
> +#endif
>         ssl_die();
>     }
> }
>

Mime
View raw message