On Tue, Nov 10, 2009 at 07:55:13AM -0000, [email protected] wrote: > Author: sctemme > Date: Tue Nov 10 07:55:13 2009 > New Revision: 834378 > > URL: http://svn.apache.org/viewvc?rev=834378&view=rev > Log: > enable support for ECC keys and ECDH ciphers. Tested against > OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme] ... > > +#ifndef OPENSSL_NO_EC > +EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen) > +{ > + conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); > + SSLModConfigRec *mc = myModConfig(c->base_server); > + int idx; > + static EC_KEY *ecdh = NULL; > + static init = 0; > + > + /* XXX Uses 256-bit key for now. TODO: support other sizes. */ > + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, > + "handing out temporary 256 bit ECC key"); > + > + if (init == 0) { > + ecdh = EC_KEY_new(); > + if (ecdh != NULL) { > + /* ecdh->group = EC_GROUP_new_by_nid(NID_secp160r2); */ > + EC_KEY_set_group(ecdh, > + EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); > + } > + init = 1; > + } > + > + return ecdh; > +} > +#endif
Just bumped into this code... Is there a reason why the temporary ECDH keys have to be generated on the fly, rather than doing it ahead-of-time as is done for RSA and DH keys? (see ssl_tmp_keys_init etc) Also, a comment explaining that ecdh->group line would be helpful. Should that be there? Or not? Regards, Joe
