diff -Naur httpd-2.2.16/modules/ssl/mod_ssl.c httpd-2.2.16-ecc/modules/ssl/mod_ssl.c --- httpd-2.2.16/modules/ssl/mod_ssl.c 2010-07-12 20:47:45.000000000 +0200 +++ httpd-2.2.16-ecc/modules/ssl/mod_ssl.c 2011-01-04 21:54:17.587477515 +0100 @@ -424,6 +424,9 @@ */ SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); +#ifndef OPENSSL_NO_EC + SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH); +#endif SSL_set_verify_result(ssl, X509_V_OK); diff -Naur httpd-2.2.16/modules/ssl/ssl_engine_init.c httpd-2.2.16-ecc/modules/ssl/ssl_engine_init.c --- httpd-2.2.16/modules/ssl/ssl_engine_init.c 2010-07-12 20:47:45.000000000 +0200 +++ httpd-2.2.16-ecc/modules/ssl/ssl_engine_init.c 2011-01-04 21:56:05.611610901 +0100 @@ -399,7 +399,11 @@ * Check for problematic re-initializations */ if (mctx->pks->certs[SSL_AIDX_RSA] || - mctx->pks->certs[SSL_AIDX_DSA]) + mctx->pks->certs[SSL_AIDX_DSA] +#ifndef OPENSSL_NO_EC + || mctx->pks->certs[SSL_AIDX_ECC] +#endif + ) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Illegal attempt to re-initialise SSL for server " @@ -554,6 +558,9 @@ SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); +#ifndef OPENSSL_NO_EC + SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH); +#endif SSL_CTX_set_info_callback(ctx, ssl_callback_Info); } @@ -821,9 +828,16 @@ ssl_asn1_t *asn1; MODSSL_D2I_PrivateKey_CONST unsigned char *ptr; const char *type = ssl_asn1_keystr(idx); - int pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA; + int pkey_type; EVP_PKEY *pkey; +#ifndef OPENSSL_NO_EC + if (idx == SSL_AIDX_ECC) + pkey_type = EVP_PKEY_EC; + else +#endif /* SSL_LIBRARY_VERSION */ + pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA; + if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) { return FALSE; } @@ -934,19 +948,39 @@ modssl_ctx_t *mctx) { const char *rsa_id, *dsa_id; +#ifndef OPENSSL_NO_EC + const char *ecc_id; +#endif const char *vhost_id = mctx->sc->vhost_id; int i; int have_rsa, have_dsa; +#ifndef OPENSSL_NO_EC + int have_ecc; +#endif rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA); dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA); +#ifndef OPENSSL_NO_EC + ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); +#endif have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); +#ifndef OPENSSL_NO_EC + have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); +#endif - if (!(have_rsa || have_dsa)) { + if (!(have_rsa || have_dsa +#ifndef OPENSSL_NO_EC + || have_ecc +#endif +)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +#ifndef OPENSSL_NO_EC + "Oops, no RSA, DSA or ECC server certificate found " +#else "Oops, no RSA or DSA server certificate found " +#endif "for '%s:%d'?!", s->server_hostname, s->port); ssl_die(); } @@ -957,10 +991,21 @@ have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA); have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA); +#ifndef OPENSSL_NO_EC + have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC); +#endif - if (!(have_rsa || have_dsa)) { + if (!(have_rsa || have_dsa +#ifndef OPENSSL_NO_EC + || have_ecc +#endif + )) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +#ifndef OPENSSL_NO_EC + "Oops, no RSA, DSA or ECC server private key found?!"); +#else "Oops, no RSA or DSA server private key found?!"); +#endif ssl_die(); } } diff -Naur httpd-2.2.16/modules/ssl/ssl_engine_kernel.c httpd-2.2.16-ecc/modules/ssl/ssl_engine_kernel.c --- httpd-2.2.16/modules/ssl/ssl_engine_kernel.c 2010-02-27 22:00:58.000000000 +0100 +++ httpd-2.2.16-ecc/modules/ssl/ssl_engine_kernel.c 2011-01-04 21:54:17.578477589 +0100 @@ -1287,6 +1287,33 @@ return (DH *)mc->pTmpKeys[idx]; } +#ifndef OPENSSL_NO_EC +EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen) +{ + conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); + SSLModConfigRec *mc = myModConfig(c->base_server); + int idx; + static EC_KEY *ecdh = NULL; + static init = 0; + + /* XXX Uses 256-bit key for now. TODO: support other sizes. */ + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, + "handing out temporary 256 bit ECC key"); + + if (init == 0) { + ecdh = EC_KEY_new(); + if (ecdh != NULL) { + /* ecdh->group = EC_GROUP_new_by_nid(NID_secp160r2); */ + EC_KEY_set_group(ecdh, + EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); + } + init = 1; + } + + return ecdh; +} +#endif + /* * This OpenSSL callback function is called when OpenSSL * does client authentication and verifies the certificate chain. diff -Naur httpd-2.2.16/modules/ssl/ssl_private.h httpd-2.2.16-ecc/modules/ssl/ssl_private.h --- httpd-2.2.16/modules/ssl/ssl_private.h 2010-07-12 20:47:45.000000000 +0200 +++ httpd-2.2.16-ecc/modules/ssl/ssl_private.h 2011-01-04 21:54:17.577477597 +0100 @@ -181,11 +181,21 @@ #define SSL_ALGO_UNKNOWN (0) #define SSL_ALGO_RSA (1<<0) #define SSL_ALGO_DSA (1<<1) +#ifndef OPENSSL_NO_EC +#define SSL_ALGO_ECC (1<<2) +#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC) +#else #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA) +#endif /* SSL_LIBRARY_VERSION */ #define SSL_AIDX_RSA (0) #define SSL_AIDX_DSA (1) +#ifndef OPENSSL_NO_EC +#define SSL_AIDX_ECC (2) +#define SSL_AIDX_MAX (3) +#else #define SSL_AIDX_MAX (2) +#endif /* SSL_LIBRARY_VERSION */ /** @@ -589,6 +599,9 @@ /** OpenSSL callbacks */ RSA *ssl_callback_TmpRSA(SSL *, int, int); DH *ssl_callback_TmpDH(SSL *, int, int); +#ifndef OPENSSL_NO_EC +EC_KEY *ssl_callback_TmpECDH(SSL *, int, int); +#endif /* SSL_LIBRARY_VERSION */ int ssl_callback_SSLVerify(int, X509_STORE_CTX *); int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey); diff -Naur httpd-2.2.16/modules/ssl/ssl_toolkit_compat.h httpd-2.2.16-ecc/modules/ssl/ssl_toolkit_compat.h --- httpd-2.2.16/modules/ssl/ssl_toolkit_compat.h 2010-07-12 20:47:45.000000000 +0200 +++ httpd-2.2.16-ecc/modules/ssl/ssl_toolkit_compat.h 2011-01-04 21:55:26.583924797 +0100 @@ -38,6 +38,13 @@ #include #include #include + + +/* ECC support came along in OpenSSL 1.0.0 */ +#if (OPENSSL_VERSION_NUMBER < 0x10000000) +#define OPENSSL_NO_EC +#endif + /** Avoid tripping over an engine build installed globally and detected * when the user points at an explicit non-engine flavor of OpenSSL */ diff -Naur httpd-2.2.16/modules/ssl/ssl_util.c httpd-2.2.16-ecc/modules/ssl/ssl_util.c --- httpd-2.2.16/modules/ssl/ssl_util.c 2008-09-18 16:34:51.000000000 +0200 +++ httpd-2.2.16-ecc/modules/ssl/ssl_util.c 2011-01-04 21:54:17.578477589 +0100 @@ -150,6 +150,11 @@ case EVP_PKEY_DSA: t = SSL_ALGO_DSA; break; +#ifndef OPENSSL_NO_EC + case EVP_PKEY_EC: + t = SSL_ALGO_ECC; + break; +#endif default: break; } @@ -174,6 +179,11 @@ case SSL_ALGO_DSA: cp = "DSA"; break; +#ifndef OPENSSL_NO_EC + case SSL_ALGO_ECC: + cp = "ECC"; + break; +#endif default: break; } @@ -245,7 +255,11 @@ apr_hash_set(table, key, klen, NULL); } +#ifndef OPENSSL_NO_EC +static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"}; +#else static const char *ssl_asn1_key_types[] = {"RSA", "DSA"}; +#endif const char *ssl_asn1_keystr(int keytype) {