jorton at redhat
Feb 2, 2010, 9:06 AM
Post #1 of 1
(346 views)
Permalink
|
|
Re: svn commit: r834378 - in /httpd/httpd/trunk: CHANGES docs/conf/extra/httpd-ssl.conf.in modules/ssl/mod_ssl.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h modules/ssl/ssl_toolkit_compat.h modules/ssl/ssl_util.
|
|
On Tue, Nov 10, 2009 at 07:55:13AM -0000, sctemme [at] apache wrote:
> Author: sctemme
> Date: Tue Nov 10 07:55:13 2009
> New Revision: 834378
>
> URL: http://svn.apache.org/viewvc?rev=834378&view=rev
> Log:
> enable support for ECC keys and ECDH ciphers. Tested against
> OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme]
...
>
> +#ifndef OPENSSL_NO_EC
> +EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen)
> +{
> + conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
> + SSLModConfigRec *mc = myModConfig(c->base_server);
> + int idx;
> + static EC_KEY *ecdh = NULL;
> + static init = 0;
> +
> + /* XXX Uses 256-bit key for now. TODO: support other sizes. */
> + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
> + "handing out temporary 256 bit ECC key");
> +
> + if (init == 0) {
> + ecdh = EC_KEY_new();
> + if (ecdh != NULL) {
> + /* ecdh->group = EC_GROUP_new_by_nid(NID_secp160r2); */
> + EC_KEY_set_group(ecdh,
> + EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
> + }
> + init = 1;
> + }
> +
> + return ecdh;
> +}
> +#endif
Just bumped into this code...
Is there a reason why the temporary ECDH keys have to be generated on
the fly, rather than doing it ahead-of-time as is done for RSA and DH
keys? (see ssl_tmp_keys_init etc)
Also, a comment explaining that ecdh->group line would be helpful.
Should that be there? Or not?
Regards, Joe
|
