Return-Path: 
 <dev-return-66780-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 81040 invoked from network); 10 Nov 2009 16:29:26 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 10 Nov 2009 16:29:26 -0000
Received: (qmail 87409 invoked by uid 500); 10 Nov 2009 16:29:25 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 87343 invoked by uid 500); 10 Nov 2009 16:29:25 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 87334 invoked by uid 99); 10 Nov 2009 16:29:25 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Nov 2009 16:29:25 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [188.40.99.202] (HELO eru.sfritsch.de) (188.40.99.202)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Nov 2009 16:29:14 +0000
Received: from stf (helo=localhost)
	by eru.sfritsch.de with local-esmtp (Exim 4.69)
	(envelope-from <sf@sfritsch.de>)
	id 1N7taQ-0005Ez-I1
	for dev@httpd.apache.org; Tue, 10 Nov 2009 17:28:54 +0100
Date: Tue, 10 Nov 2009 17:28:54 +0100 (CET)
From: Stefan Fritsch <sf@sfritsch.de>
To: dev@httpd.apache.org
Subject: Re: svn commit: r834378 - in /httpd/httpd/trunk: CHANGES
 docs/conf/extra/httpd-ssl.conf.in modules/ssl/mod_ssl.c
 modules/ssl/ssl_engine_init.c
 modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
 modules/ssl/ssl_toolkit_compat.h
 modules/ssl/ssl_util.c
In-Reply-To: <20091110075514.166A6238890A@eris.apache.org>
Message-ID: <alpine.DEB.1.10.0911101722140.19977@eru.sfritsch.de>
References: <20091110075514.166A6238890A@eris.apache.org>
User-Agent: Alpine 1.10 (DEB 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Virus-Checked: Checked by ClamAV on apache.org

On Tue, 10 Nov 2009, sctemme@apache.org wrote:

> Author: sctemme
> Date: Tue Nov 10 07:55:13 2009
> New Revision: 834378
>
> URL: http://svn.apache.org/viewvc?rev=834378&view=rev
> Log:
> enable support for ECC keys and ECDH ciphers.  Tested against
> OpenSSL 1.0.0b3.  [Vipul Gupta vipul.gupta sun.com, Sander Temme]
>
> Modified:
>    httpd/httpd/trunk/CHANGES
>    httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
>    httpd/httpd/trunk/modules/ssl/mod_ssl.c
>    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
>    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>    httpd/httpd/trunk/modules/ssl/ssl_private.h
>    httpd/httpd/trunk/modules/ssl/ssl_toolkit_compat.h
>    httpd/httpd/trunk/modules/ssl/ssl_util.c
>




> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=834378&r1=834377&r2=834378&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Tue Nov 10 07:55:13 2009
> @@ -356,7 +356,11 @@
>      *  Check for problematic re-initializations
>      */
>     if (mctx->pks->certs[SSL_AIDX_RSA] ||
> -        mctx->pks->certs[SSL_AIDX_DSA])
> +        mctx->pks->certs[SSL_AIDX_DSA]
> +#ifndef OPENSSL_NO_EC
> +      || mctx->pks->certs[SSL_AIDX_ECC]
> +#endif
> +        )
>     {
>         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
>                 "Illegal attempt to re-initialise SSL for server "
> @@ -519,6 +523,9 @@
>
>     SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
>     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
> +#ifndef OPENSSL_NO_EC
> +    SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH);
> +#endif
>
>     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
> }
> @@ -810,9 +817,16 @@
>     ssl_asn1_t *asn1;
>     MODSSL_D2I_PrivateKey_CONST unsigned char *ptr;
>     const char *type = ssl_asn1_keystr(idx);
> -    int pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
> +    int pkey_type;
>     EVP_PKEY *pkey;
>
> +#ifndef OPENSSL_NO_EC
> +    if (idx == SSL_AIDX_ECC)
> +      pkey_type = EVP_PKEY_EC;
> +    else
> +#endif /* SSL_LIBRARY_VERSION */
> +    pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
> +
>     if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
>         return FALSE;
>     }
> @@ -922,20 +936,34 @@
>                                   apr_pool_t *ptemp,
>                                   modssl_ctx_t *mctx)
> {
> -    const char *rsa_id, *dsa_id;
> +    const char *rsa_id, *dsa_id, *ecc_id;
>     const char *vhost_id = mctx->sc->vhost_id;
>     int i;
> -    int have_rsa, have_dsa;
> +    int have_rsa, have_dsa, have_ecc;

have_ecc and ecc_ic should be inside #ifndef OPENSSL_NO_EC
  to avoid compiler warnings about unused variables.

>
>     rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
>     dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
> +#ifndef OPENSSL_NO_EC
> +    ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
> +#endif
>
>     have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
>     have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
> +#ifndef OPENSSL_NO_EC
> +    have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
> +#endif
>
> -    if (!(have_rsa || have_dsa)) {
> +    if (!(have_rsa || have_dsa
> +#ifndef OPENSSL_NO_EC
> +        || have_ecc
> +#endif
> +)) {
>         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
> +#ifndef OPENSSL_NO_EC
> +                "Oops, no RSA, DSA or ECC server certificate found "
> +#else
>                 "Oops, no RSA or DSA server certificate found "
> +#endif
>                 "for '%s:%d'?!", s->server_hostname, s->port);
>         ssl_die();
>     }

The next four #ifs should be #ifndef OPENSSL_NO_EC. They break compilation 
with openssl 0.9.8.

> @@ -946,10 +974,21 @@
>
>     have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
>     have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
> +#if SSL_LIBRARY_VERSION >= 0x00908000
> +    have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
> +#endif
>
> -    if (!(have_rsa || have_dsa)) {
> +    if (!(have_rsa || have_dsa
> +#if SSL_LIBRARY_VERSION >= 0x00908000
> +        || have_ecc
> +#endif
> +          )) {
>         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
> +#if SSL_LIBRARY_VERSION >= 0x00908000
> +                "Oops, no RSA, DSA or ECC server private key found?!");
> +#else
>                 "Oops, no RSA or DSA server private key found?!");
> +#endif
>         ssl_die();
>     }
> }
>