On Tue, 10 Nov 2009, scte...@apache.org wrote:
Author: sctemme
Date: Tue Nov 10 07:55:13 2009
New Revision: 834378
URL: http://svn.apache.org/viewvc?rev=834378&view=rev
Log:
enable support for ECC keys and ECDH ciphers. Tested against
OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme]
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/ssl_toolkit_compat.h
httpd/httpd/trunk/modules/ssl/ssl_util.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=834378&r1=834377&r2=834378&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Tue Nov 10 07:55:13 2009
@@ -356,7 +356,11 @@
* Check for problematic re-initializations
*/
if (mctx->pks->certs[SSL_AIDX_RSA] ||
- mctx->pks->certs[SSL_AIDX_DSA])
+ mctx->pks->certs[SSL_AIDX_DSA]
+#ifndef OPENSSL_NO_EC
+ || mctx->pks->certs[SSL_AIDX_ECC]
+#endif
+ )
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Illegal attempt to re-initialise SSL for server "
@@ -519,6 +523,9 @@
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
+#ifndef OPENSSL_NO_EC
+ SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH);
+#endif
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
}
@@ -810,9 +817,16 @@
ssl_asn1_t *asn1;
MODSSL_D2I_PrivateKey_CONST unsigned char *ptr;
const char *type = ssl_asn1_keystr(idx);
- int pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
+ int pkey_type;
EVP_PKEY *pkey;
+#ifndef OPENSSL_NO_EC
+ if (idx == SSL_AIDX_ECC)
+ pkey_type = EVP_PKEY_EC;
+ else
+#endif /* SSL_LIBRARY_VERSION */
+ pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
+
if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
return FALSE;
}
@@ -922,20 +936,34 @@
apr_pool_t *ptemp,
modssl_ctx_t *mctx)
{
- const char *rsa_id, *dsa_id;
+ const char *rsa_id, *dsa_id, *ecc_id;
const char *vhost_id = mctx->sc->vhost_id;
int i;
- int have_rsa, have_dsa;
+ int have_rsa, have_dsa, have_ecc;
have_ecc and ecc_ic should be inside #ifndef OPENSSL_NO_EC
to avoid compiler warnings about unused variables.
rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
+#ifndef OPENSSL_NO_EC
+ ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
+#endif
have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
+#ifndef OPENSSL_NO_EC
+ have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
+#endif
- if (!(have_rsa || have_dsa)) {
+ if (!(have_rsa || have_dsa
+#ifndef OPENSSL_NO_EC
+ || have_ecc
+#endif
+)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+#ifndef OPENSSL_NO_EC
+ "Oops, no RSA, DSA or ECC server certificate found "
+#else
"Oops, no RSA or DSA server certificate found "
+#endif
"for '%s:%d'?!", s->server_hostname, s->port);
ssl_die();
}
The next four #ifs should be #ifndef OPENSSL_NO_EC. They break compilation
with openssl 0.9.8.
@@ -946,10 +974,21 @@
have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
+#if SSL_LIBRARY_VERSION >= 0x00908000
+ have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
+#endif
- if (!(have_rsa || have_dsa)) {
+ if (!(have_rsa || have_dsa
+#if SSL_LIBRARY_VERSION >= 0x00908000
+ || have_ecc
+#endif
+ )) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+#if SSL_LIBRARY_VERSION >= 0x00908000
+ "Oops, no RSA, DSA or ECC server private key found?!");
+#else
"Oops, no RSA or DSA server private key found?!");
+#endif
ssl_die();
}
}