httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r834378 - in /httpd/httpd/trunk: CHANGES docs/conf/extra/httpd-ssl.conf.in modules/ssl/mod_ssl.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h modules/ssl/ssl_toolkit_compat.h modules/ssl/ssl_util.c
Date Tue, 02 Feb 2010 17:06:27 GMT
On Tue, Nov 10, 2009 at 07:55:13AM -0000, sctemme@apache.org wrote:
> Author: sctemme
> Date: Tue Nov 10 07:55:13 2009
> New Revision: 834378
> 
> URL: http://svn.apache.org/viewvc?rev=834378&view=rev
> Log:
> enable support for ECC keys and ECDH ciphers.  Tested against
> OpenSSL 1.0.0b3.  [Vipul Gupta vipul.gupta sun.com, Sander Temme]
...
>  
> +#ifndef OPENSSL_NO_EC
> +EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen)
> +{
> +    conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
> +    SSLModConfigRec *mc = myModConfig(c->base_server);
> +    int idx;
> +    static EC_KEY *ecdh = NULL;
> +    static init = 0;
> +
> +    /* XXX Uses 256-bit key for now. TODO: support other sizes. */
> +    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
> +                  "handing out temporary 256 bit ECC key");
> +
> +    if (init == 0) {
> +        ecdh = EC_KEY_new();
> +        if (ecdh != NULL) {
> +            /* ecdh->group = EC_GROUP_new_by_nid(NID_secp160r2); */
> +            EC_KEY_set_group(ecdh, 
> +              EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
> +        }
> +        init = 1;
> +    }
> +    
> +    return ecdh;
> +}
> +#endif

Just bumped into this code...

Is there a reason why the temporary ECDH keys have to be generated on 
the fly, rather than doing it ahead-of-time as is done for RSA and DH 
keys? (see ssl_tmp_keys_init etc)

Also, a comment explaining that ecdh->group line would be helpful.  
Should that be there?  Or not?

Regards, Joe

Mime
View raw message