Updated Branches: refs/heads/master 6ae5e9219 -> 14ef40ef2
TS-2372: improved OpenSSL EC key support detection Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/14ef40ef Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/14ef40ef Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/14ef40ef Branch: refs/heads/master Commit: 14ef40ef2f3bd4c62ed18a5737508167a57d371e Parents: 6ae5e92 Author: James Peach <[email protected]> Authored: Wed Dec 4 20:52:48 2013 -0800 Committer: James Peach <[email protected]> Committed: Wed Dec 4 20:52:48 2013 -0800 ---------------------------------------------------------------------- build/crypto.m4 | 15 ++++++++++++++- configure.ac | 4 ++++ iocore/net/SSLUtils.cc | 6 +++++- lib/ts/ink_config.h.in | 1 + 4 files changed, 24 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/build/crypto.m4 ---------------------------------------------------------------------- diff --git a/build/crypto.m4 b/build/crypto.m4 index 20cefb7..998e147 100644 --- a/build/crypto.m4 +++ b/build/crypto.m4 @@ -111,6 +111,19 @@ fi ]) +AC_DEFUN([TS_CHECK_CRYPTO_EC_KEYS], [ + _eckeys_saved_LIBS=$LIBS + TS_ADDTO(LIBS, [$LIBSSL]) + AC_CHECK_HEADERS(openssl/ec.h) + AC_CHECK_FUNCS(EC_KEY_new_by_curve_name, [enable_tls_eckey=yes], [enable_tls_eckey=no]) + LIBS=$_eckeys_saved_LIBS + + AC_MSG_CHECKING(whether EC keys are supported) + AC_MSG_RESULT([$enable_tls_eckey]) + TS_ARG_ENABLE_VAR([use], [tls-eckey]) + AC_SUBST(use_tls_eckey) +]) + AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [ enable_tls_npn=yes _npn_saved_LIBS=$LIBS @@ -131,7 +144,7 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [ enable_tls_sni=yes TS_ADDTO(LIBS, [$LIBSSL]) - AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h openssl/ec.h) + AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h) # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a # macro, so AC_CHECK_FUNCS is not going to do the business. AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback]) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/configure.ac ---------------------------------------------------------------------- diff --git a/configure.ac b/configure.ac index 96bb953..dde8c40 100644 --- a/configure.ac +++ b/configure.ac @@ -1123,6 +1123,10 @@ fi TS_CHECK_CRYPTO_NEXTPROTONEG # +# Check for EC key support. +TS_CHECK_CRYPTO_EC_KEYS + +# # Check for ServerNameIndication TLS extension support. TS_CHECK_CRYPTO_SNI http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 2dc691c..3ef6165 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -192,9 +192,11 @@ ssl_context_enable_sni(SSL_CTX * ctx, SSLCertLookup * lookup) static void ssl_enable_ecdh(SSL_CTX * ctx) { +#if TS_USE_TLS_ECKEY + #if defined(SSL_CTRL_SET_ECDH_AUTO) SSL_CTX_set_ecdh_auto(ctx, 1); -#elif defined(NID_X9_62_prime256v1) +#elif defined(HAVE_EC_KEY_NEW_BY_CURVE_NAME) && defined(NID_X9_62_prime256v1) EC_KEY * ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ecdh) { @@ -202,6 +204,8 @@ ssl_enable_ecdh(SSL_CTX * ctx) EC_KEY_free(ecdh); } #endif + +#endif } void http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/lib/ts/ink_config.h.in ---------------------------------------------------------------------- diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in index 9dfb46a..ee1e029 100644 --- a/lib/ts/ink_config.h.in +++ b/lib/ts/ink_config.h.in @@ -67,6 +67,7 @@ #define TS_USE_RECLAIMABLE_FREELIST @use_reclaimable_freelist@ #define TS_USE_TLS_NPN @use_tls_npn@ #define TS_USE_TLS_SNI @use_tls_sni@ +#define TS_USE_TLS_ECKEY @use_tls_eckey@ #define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@ #define TS_USE_COP_DEBUG @use_cop_debug@ #define TS_USE_INTERIM_CACHE @has_interim_cache@
