Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

Re: svn commit: r834378 - in /httpd/httpd/trunk: CHANGES docs/conf/extra/httpd-ssl.conf.in modules/ssl/mod_ssl.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h modules/ssl/ssl_toolkit_compat.h modules/ssl/ssl_util.

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


sf at sfritsch

Nov 10, 2009, 8:28 AM

Post #1 of 1 (329 views)
Permalink
Re: svn commit: r834378 - in /httpd/httpd/trunk: CHANGES docs/conf/extra/httpd-ssl.conf.in modules/ssl/mod_ssl.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h modules/ssl/ssl_toolkit_compat.h modules/ssl/ssl_util.
On Tue, 10 Nov 2009, sctemme [at] apache wrote:

> Author: sctemme
> Date: Tue Nov 10 07:55:13 2009
> New Revision: 834378
>
> URL: http://svn.apache.org/viewvc?rev=834378&view=rev
> Log:
> enable support for ECC keys and ECDH ciphers. Tested against
> OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme]
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
> httpd/httpd/trunk/modules/ssl/mod_ssl.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/modules/ssl/ssl_toolkit_compat.h
> httpd/httpd/trunk/modules/ssl/ssl_util.c
>




> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=834378&r1=834377&r2=834378&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Tue Nov 10 07:55:13 2009
> @@ -356,7 +356,11 @@
> * Check for problematic re-initializations
> */
> if (mctx->pks->certs[SSL_AIDX_RSA] ||
> - mctx->pks->certs[SSL_AIDX_DSA])
> + mctx->pks->certs[SSL_AIDX_DSA]
> +#ifndef OPENSSL_NO_EC
> + || mctx->pks->certs[SSL_AIDX_ECC]
> +#endif
> + )
> {
> ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
> "Illegal attempt to re-initialise SSL for server "
> @@ -519,6 +523,9 @@
>
> SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
> SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
> +#ifndef OPENSSL_NO_EC
> + SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH);
> +#endif
>
> SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
> }
> @@ -810,9 +817,16 @@
> ssl_asn1_t *asn1;
> MODSSL_D2I_PrivateKey_CONST unsigned char *ptr;
> const char *type = ssl_asn1_keystr(idx);
> - int pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
> + int pkey_type;
> EVP_PKEY *pkey;
>
> +#ifndef OPENSSL_NO_EC
> + if (idx == SSL_AIDX_ECC)
> + pkey_type = EVP_PKEY_EC;
> + else
> +#endif /* SSL_LIBRARY_VERSION */
> + pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
> +
> if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
> return FALSE;
> }
> @@ -922,20 +936,34 @@
> apr_pool_t *ptemp,
> modssl_ctx_t *mctx)
> {
> - const char *rsa_id, *dsa_id;
> + const char *rsa_id, *dsa_id, *ecc_id;
> const char *vhost_id = mctx->sc->vhost_id;
> int i;
> - int have_rsa, have_dsa;
> + int have_rsa, have_dsa, have_ecc;

have_ecc and ecc_ic should be inside #ifndef OPENSSL_NO_EC
to avoid compiler warnings about unused variables.

>
> rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
> dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
> +#ifndef OPENSSL_NO_EC
> + ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
> +#endif
>
> have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
> have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
> +#ifndef OPENSSL_NO_EC
> + have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
> +#endif
>
> - if (!(have_rsa || have_dsa)) {
> + if (!(have_rsa || have_dsa
> +#ifndef OPENSSL_NO_EC
> + || have_ecc
> +#endif
> +)) {
> ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
> +#ifndef OPENSSL_NO_EC
> + "Oops, no RSA, DSA or ECC server certificate found "
> +#else
> "Oops, no RSA or DSA server certificate found "
> +#endif
> "for '%s:%d'?!", s->server_hostname, s->port);
> ssl_die();
> }

The next four #ifs should be #ifndef OPENSSL_NO_EC. They break compilation
with openssl 0.9.8.

> @@ -946,10 +974,21 @@
>
> have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
> have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
> +#if SSL_LIBRARY_VERSION >= 0x00908000
> + have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
> +#endif
>
> - if (!(have_rsa || have_dsa)) {
> + if (!(have_rsa || have_dsa
> +#if SSL_LIBRARY_VERSION >= 0x00908000
> + || have_ecc
> +#endif
> + )) {
> ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
> +#if SSL_LIBRARY_VERSION >= 0x00908000
> + "Oops, no RSA, DSA or ECC server private key found?!");
> +#else
> "Oops, no RSA or DSA server private key found?!");
> +#endif
> ssl_die();
> }
> }
>

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.