[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 60/156: Add support for Elliptical Curve Cryptography (ECC). This is disabled by default. To enable it, pass --enable-ecc to configure.
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:29 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit b9131c4fa214f39705da4246425645a6c587d488
Author: rcritten <>
Date: Thu Mar 2 19:21:54 2006 +0000
Add support for Elliptical Curve Cryptography (ECC). This is disabled
by default. To enable it, pass --enable-ecc to configure.
---
Makefile.am | 1 -
Makefile.in | 1 -
configure | 103 +++++++++++++++----------------
configure.in | 17 +++++-
mod_nss.c | 7 ++-
mod_nss.h | 16 +++++
nss.conf.in | 17 +++++-
nss_engine_config.c | 19 ++++++
nss_engine_init.c | 170 ++++++++++++++++++++++++++++++++++++----------------
nss_engine_io.c | 4 +-
nss_engine_kernel.c | 8 ++-
nss_engine_vars.c | 23 ++++++-
12 files changed, 271 insertions(+), 115 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 61500fc..66fa6a3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -12,7 +12,6 @@ libmodnss_la_LDFLAGS = -module -avoid-version
## Set the includes and libraries needed
INCLUDES = -I at apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@
LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4
- at SSL2_TRUE@AM_CFLAGS=-DWANT_SSL2
EXTRA_CPPFLAGS=@extra_cppflags@
install-libLTLIBRARIES: libmodnss.la
diff --git a/Makefile.in b/Makefile.in
index 29e322c..a587bcf 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -121,7 +121,6 @@ libmodnss_la_LDFLAGS = -module -avoid-version
INCLUDES = -I at apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@
LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4
- at SSL2_TRUE@AM_CFLAGS = -DWANT_SSL2
EXTRA_CPPFLAGS = @extra_cppflags@
LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
diff --git a/configure b/configure
index ee76699..81e1d84 100755
--- a/configure
+++ b/configure
@@ -462,7 +462,7 @@ ac_includes_default="\
# include <unistd.h>
#endif"
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO AMTAR install_sh STRIP ac_ct_STRIP INSTALL [...]
+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO AMTAR install_sh STRIP ac_ct_STRIP INSTALL [...]
ac_subst_files=''
# Initialize some variables set by options.
@@ -1032,6 +1032,7 @@ Optional Features:
optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds)
--enable-ssl2 enable SSLv2 (default=no)
+ --enable-ecc enable Elliptical Curve Cyptography (default=no)
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -3568,7 +3569,7 @@ ia64-*-hpux*)
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 3571 "configure"' > conftest.$ac_ext
+ echo '#line 3572 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -5100,7 +5101,7 @@ fi
# Provide some information about the compiler.
-echo "$as_me:5103:" \
+echo "$as_me:5104:" \
"checking for Fortran 77 compiler version" >&5
ac_compiler=`set X $ac_compile; echo $2`
{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
@@ -6134,11 +6135,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:6137: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:6138: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:6141: \$? = $ac_status" >&5
+ echo "$as_me:6142: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -6367,11 +6368,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:6370: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:6371: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:6374: \$? = $ac_status" >&5
+ echo "$as_me:6375: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -6427,11 +6428,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:6430: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:6431: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:6434: \$? = $ac_status" >&5
+ echo "$as_me:6435: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -7761,7 +7762,7 @@ linux*)
libsuff=
case "$host_cpu" in
x86_64*|s390x*|powerpc64*)
- echo '#line 7764 "configure"' > conftest.$ac_ext
+ echo '#line 7765 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -8632,7 +8633,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 8635 "configure"
+#line 8636 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -8730,7 +8731,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 8733 "configure"
+#line 8734 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -10909,11 +10910,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10912: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10913: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:10916: \$? = $ac_status" >&5
+ echo "$as_me:10917: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -10969,11 +10970,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10972: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10973: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:10976: \$? = $ac_status" >&5
+ echo "$as_me:10977: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -11480,7 +11481,7 @@ linux*)
libsuff=
case "$host_cpu" in
x86_64*|s390x*|powerpc64*)
- echo '#line 11483 "configure"' > conftest.$ac_ext
+ echo '#line 11484 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -12351,7 +12352,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 12354 "configure"
+#line 12355 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -12449,7 +12450,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 12452 "configure"
+#line 12453 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -13276,11 +13277,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:13279: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:13280: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:13283: \$? = $ac_status" >&5
+ echo "$as_me:13284: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -13336,11 +13337,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:13339: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:13340: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:13343: \$? = $ac_status" >&5
+ echo "$as_me:13344: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -14650,7 +14651,7 @@ linux*)
libsuff=
case "$host_cpu" in
x86_64*|s390x*|powerpc64*)
- echo '#line 14653 "configure"' > conftest.$ac_ext
+ echo '#line 14654 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -15391,11 +15392,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:15394: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:15395: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:15398: \$? = $ac_status" >&5
+ echo "$as_me:15399: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -15624,11 +15625,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:15627: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:15628: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:15631: \$? = $ac_status" >&5
+ echo "$as_me:15632: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -15684,11 +15685,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:15687: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:15688: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:15691: \$? = $ac_status" >&5
+ echo "$as_me:15692: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -17018,7 +17019,7 @@ linux*)
libsuff=
case "$host_cpu" in
x86_64*|s390x*|powerpc64*)
- echo '#line 17021 "configure"' > conftest.$ac_ext
+ echo '#line 17022 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -17889,7 +17890,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 17892 "configure"
+#line 17893 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -17987,7 +17988,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 17990 "configure"
+#line 17991 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -19761,20 +19762,31 @@ fi;
if test $ssl2 = yes; then
echo "$as_me:$LINENO: result: yes" >&5
echo "${ECHO_T}yes" >&6
+ extra_cppflags="$extra_cppflags -DWANT_SSL2"
else
echo "$as_me:$LINENO: result: no" >&5
echo "${ECHO_T}no" >&6
fi
+#AM_CONDITIONAL(SSL2, test x$ssl2 = xyes)
-
-if test x$ssl2 = xyes; then
- SSL2_TRUE=
- SSL2_FALSE='#'
+echo "$as_me:$LINENO: checking for ECC" >&5
+echo $ECHO_N "checking for ECC... $ECHO_C" >&6
+# Check whether --enable-ecc or --disable-ecc was given.
+if test "${enable_ecc+set}" = set; then
+ enableval="$enable_ecc"
+ ecc=$enableval
+else
+ ecc=no
+fi;
+if test $ecc = yes; then
+ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+ extra_cppflags="$extra_cppflags -DNSS_ENABLE_ECC"
else
- SSL2_TRUE='#'
- SSL2_FALSE=
+ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
fi
-
+#AM_CONDITIONAL(ECC, test x$ecc = xyes)
{ echo "$as_me:$LINENO: checking for apr-config..." >&5
echo "$as_me: checking for apr-config..." >&6;}
@@ -19954,7 +19966,7 @@ apache_inc=`$APXS -q INCLUDEDIR`
apache_conf=`$APXS -q SYSCONFDIR`
apache_prefix=`$APXS -q PREFIX`
apache_bin=`$APXS -q SBINDIR`
-extra_cppflags=`$APXS -q EXTRA_CPPFLAGS`
+extra_cppflags="$extra_cppflags `$APXS -q EXTRA_CPPFLAGS`"
if ! test -f "$apache_inc/apr.h"; then
if test -z "$apr_inc"; then
@@ -20387,13 +20399,6 @@ echo "$as_me: error: conditional \"AMDEP\" was never defined.
Usually this means the macro was only invoked conditionally." >&2;}
{ (exit 1); exit 1; }; }
fi
-if test -z "${SSL2_TRUE}" && test -z "${SSL2_FALSE}"; then
- { { echo "$as_me:$LINENO: error: conditional \"SSL2\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"SSL2\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
- { (exit 1); exit 1; }; }
-fi
: ${CONFIG_STATUS=./config.status}
ac_clean_files_save=$ac_clean_files
@@ -20981,8 +20986,6 @@ s, at YACC@,$YACC,;t t
s, at LEX@,$LEX,;t t
s, at LEXLIB@,$LEXLIB,;t t
s, at LEX_OUTPUT_ROOT@,$LEX_OUTPUT_ROOT,;t t
-s, at SSL2_TRUE@,$SSL2_TRUE,;t t
-s, at SSL2_FALSE@,$SSL2_FALSE,;t t
s, at APR_CONFIG@,$APR_CONFIG,;t t
s, at APXS@,$APXS,;t t
s, at PKG_CONFIG@,$PKG_CONFIG,;t t
diff --git a/configure.in b/configure.in
index cf49ba9..351e7cd 100644
--- a/configure.in
+++ b/configure.in
@@ -28,10 +28,23 @@ AC_ARG_ENABLE(ssl2,
ssl2=$enableval, ssl2=no)
if test $ssl2 = yes; then
AC_MSG_RESULT(yes)
+ extra_cppflags="$extra_cppflags -DWANT_SSL2"
else
AC_MSG_RESULT(no)
fi
-AM_CONDITIONAL(SSL2, test x$ssl2 = xyes)
+#AM_CONDITIONAL(SSL2, test x$ssl2 = xyes)
+
+AC_MSG_CHECKING(for ECC)
+AC_ARG_ENABLE(ecc,
+ [ --enable-ecc enable Elliptical Curve Cyptography (default=no)],
+ ecc=$enableval, ecc=no)
+if test $ecc = yes; then
+ AC_MSG_RESULT(yes)
+ extra_cppflags="$extra_cppflags -DNSS_ENABLE_ECC"
+else
+ AC_MSG_RESULT(no)
+fi
+#AM_CONDITIONAL(ECC, test x$ecc = xyes)
AC_CHECKING(for apr-config)
# check for --with-apr-config
@@ -97,7 +110,7 @@ apache_inc=`$APXS -q INCLUDEDIR`
apache_conf=`$APXS -q SYSCONFDIR`
apache_prefix=`$APXS -q PREFIX`
apache_bin=`$APXS -q SBINDIR`
-extra_cppflags=`$APXS -q EXTRA_CPPFLAGS`
+extra_cppflags="$extra_cppflags `$APXS -q EXTRA_CPPFLAGS`"
if ! test -f "$apache_inc/apr.h"; then
if test -z "$apr_inc"; then
diff --git a/mod_nss.c b/mod_nss.c
index 51fcafe..531fbe4 100644
--- a/mod_nss.c
+++ b/mod_nss.c
@@ -86,8 +86,13 @@ static const command_rec nss_config_cmds[] = {
"SSL Client Authentication "
"(`none', `optional', `require'")
SSL_CMD_SRV(Nickname, TAKE1,
- "SSL Server Certificate nickname "
+ "SSL RSA Server Certificate nickname "
"(`Server-Cert'")
+#ifdef NSS_ENABLE_ECC
+ SSL_CMD_SRV(ECCNickname, TAKE1,
+ "SSL ECC Server Certificate nickname "
+ "(`Server-Cert'")
+#endif
SSL_CMD_SRV(EnforceValidCerts, FLAG,
"Require a valid, trust, non-expired server certificate (default on)"
"(`on', `off'")
diff --git a/mod_nss.h b/mod_nss.h
index eff44ef..da868bd 100644
--- a/mod_nss.h
+++ b/mod_nss.h
@@ -268,11 +268,20 @@ typedef struct {
int tlsrollback;
int enforce;
const char *nickname;
+#ifdef NSS_ENABLE_ECC
+ const char *eccnickname;
+#endif
CERTCertificate *servercert;
SECKEYPrivateKey *serverkey;
SSLKEAType serverKEAType;
+#ifdef NSS_ENABLE_ECC
+ CERTCertificate *eccservercert;
+ SECKEYPrivateKey *eccserverkey;
+ SSLKEAType eccserverKEAType;
+#endif
+
PRFileDesc *model; /* used to model an SSL socket */
modnss_auth_ctx_t auth;
@@ -329,7 +338,11 @@ typedef struct regex_t ap_regex_t;
enum sslversion { SSL2=1, SSL3=2, TLS=4};
/* the table itself is defined in nss_engine_init.c */
+#ifdef NSS_ENABLE_ECC
+#define ciphernum 48
+#else
#define ciphernum 23
+#endif
/*
* function prototypes
@@ -353,6 +366,9 @@ const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#ifdef NSS_ENABLE_ECC
+const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#endif
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int);
const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
diff --git a/nss.conf.in b/nss.conf.in
index 88787a7..ce5930d 100644
--- a/nss.conf.in
+++ b/nss.conf.in
@@ -86,14 +86,27 @@ NSSEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
-NSSCipherSuite +rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha
+
+# SSL 3 ciphers. SSL 2 is disabled by default.
+NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
+
+# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
+#
+# Comment out the NSSCipherSuite line above and use the one below if you have
+# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
+#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdh [...]
NSSProtocol SSLv3,TLSv1
# SSL Certificate Nickname:
-# The nickname of the server certificate you are going to use.
+# The nickname of the RSA server certificate you are going to use.
NSSNickname Server-Cert
+# SSL Certificate Nickname:
+# The nickname of the ECC server certificate you are going to use, if you
+# have an ECC-enabled version of NSS and mod_nss
+#NSSECCNickname Server-Cert-ecc
+
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
diff --git a/nss_engine_config.c b/nss_engine_config.c
index bd067c3..1865054 100644
--- a/nss_engine_config.c
+++ b/nss_engine_config.c
@@ -80,6 +80,9 @@ static void modnss_ctx_init(modnss_ctx_t *mctx)
mctx->enforce = PR_TRUE;
mctx->nickname = NULL;
+#ifdef NSS_ENABLE_ECC
+ mctx->eccnickname = NULL;
+#endif
mctx->servercert = NULL;
mctx->serverkey = NULL;
@@ -162,6 +165,9 @@ static void modnss_ctx_cfg_merge(modnss_ctx_t *base,
cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
cfgMerge(nickname, NULL);
+#ifdef NSS_ENABLE_ECC
+ cfgMerge(eccnickname, NULL);
+#endif
cfgMerge(enforce, PR_TRUE);
}
@@ -416,6 +422,19 @@ const char *nss_cmd_NSSNickname(cmd_parms *cmd,
return NULL;
}
+#ifdef NSS_ENABLE_ECC
+const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->eccnickname = arg;
+
+ return NULL;
+}
+#endif
+
const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
diff --git a/nss_engine_init.c b/nss_engine_init.c
index 304ee9a..3333002 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -60,6 +60,34 @@ cipher_properties ciphers_def[ciphernum] =
/* AES ciphers.*/
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
+#ifdef NSS_ENABLE_ECC
+ /* ECC ciphers.*/
+ {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS},
+ {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS},
+ {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
+ {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
+ {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS},
+ {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
+ {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
+ {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
+ {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS},
+ {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS},
+ {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
+ {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
+ {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS},
+ {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS},
+ {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
+ {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
+ {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS},
+ {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS},
+ {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS},
+ {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS},
+#endif
};
static char *version_components[] = {
@@ -722,7 +750,11 @@ static void nss_init_server_check(server_rec *s,
apr_pool_t *ptemp,
modnss_ctx_t *mctx)
{
- if (mctx->servercert != NULL || mctx->serverkey != NULL) {
+#ifdef NSS_ENABLE_ECC
+ if (mctx->servercert != NULL || mctx->eccservercert != NULL) {
+#else
+ if (mctx->servercert != NULL) {
+#endif
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Illegal attempt to re-initialise SSL for server "
"(theoretically shouldn't happen!)");
@@ -749,58 +781,50 @@ static void nss_init_ctx(server_rec *s,
nss_init_ctx_cipher_suite(s, p, ptemp, mctx);
}
-static void nss_init_server_certs(server_rec *s,
- apr_pool_t *p,
- apr_pool_t *ptemp,
- modnss_ctx_t *mctx)
+static void nss_init_certificate(server_rec *s, const char *nickname,
+ CERTCertificate **servercert,
+ SECKEYPrivateKey **serverkey,
+ SSLKEAType *KEAtype,
+ PRFileDesc *model,
+ int enforce)
{
SECCertTimeValidity certtimestatus;
SECStatus secstatus;
PK11SlotInfo* slot = NULL;
-
- /*
- * Get own certificate and private key.
- */
- if (mctx->nickname == NULL && mctx->as_server) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "No certificate nickname provided.");
- nss_die();
+ if (nickname == NULL) {
+ return;
}
- if (mctx->nickname != NULL) {
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Using nickname %s.", mctx->nickname);
- mctx->servercert = FindServerCertFromNickname(mctx->nickname);
- }
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Using nickname %s.", nickname);
+
+ *servercert = FindServerCertFromNickname(nickname);
/* Verify the certificate chain. */
- if (mctx->servercert != NULL && mctx->as_server) {
+ if (*servercert != NULL) {
SECCertificateUsage usage = certificateUsageSSLServer;
- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), mctx->servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
+ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Certificate not verified: '%s'", mctx->nickname);
+ "Certificate not verified: '%s'", nickname);
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
- if (mctx->enforce) {
+ if (enforce) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", mctx->nickname);
+ "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
nss_die();
}
}
- }
-
- if (NULL == mctx->servercert && mctx->as_server)
- {
+ } else {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Certificate not found: '%s'", mctx->nickname);
+ "Certificate not found: '%s'", nickname);
nss_die();
}
- if (mctx->nickname && strchr(mctx->nickname, ':'))
+ if (strchr(nickname, ':'))
{
- char* token = strdup(mctx->nickname);
+ char* token = strdup(nickname);
char* colon = strchr(token, ':');
if (colon) {
*colon = 0;
@@ -822,21 +846,19 @@ static void nss_init_server_certs(server_rec *s,
else {
slot = PK11_GetInternalKeySlot();
}
-
- if (mctx->servercert) {
- mctx->serverkey = PK11_FindPrivateKeyFromCert(slot, mctx->servercert, NULL);
- }
+
+ *serverkey = PK11_FindPrivateKeyFromCert(slot, *servercert, NULL);
+
PK11_FreeSlot(slot);
- if (mctx->as_server && mctx->serverkey == NULL) {
+ if (*serverkey == NULL) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Key not found for: '%s'", mctx->nickname);
+ "Key not found for: '%s'", nickname);
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
- if (mctx->as_server) {
- mctx->serverKEAType = NSS_FindCertKEAType(mctx->servercert);
+ *KEAtype = NSS_FindCertKEAType(*servercert);
/*
* Check for certs that are expired or not yet valid and WARN about it
@@ -846,7 +868,7 @@ static void nss_init_server_certs(server_rec *s,
* for every virtual server - too expensive?
*/
- certtimestatus = CERT_CheckCertValidTimes(mctx->servercert, PR_Now(), PR_FALSE);
+ certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE);
switch (certtimestatus)
{
case secCertTimeValid:
@@ -854,35 +876,69 @@ static void nss_init_server_certs(server_rec *s,
break;
case secCertTimeExpired:
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Server certificate is expired: '%s'", mctx->nickname);
+ "Server certificate is expired: '%s'", nickname);
break;
case secCertTimeNotValidYet:
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Certificate is not valid yet '%s'", mctx->nickname);
+ "Certificate is not valid yet '%s'", nickname);
default:
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Unhandled Certificate time type %d for: '%s'", certtimestatus, mctx->nickname);
+ "Unhandled Certificate time type %d for: '%s'", certtimestatus, nickname);
break;
}
- }
- secstatus = (SECStatus)SSL_SetPKCS11PinArg(mctx->model, NULL);
+ secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype);
if (secstatus != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Error setting PKCS11 pin argument: '%s'", mctx->nickname);
+ "SSL error configuring server: '%s'", nickname);
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
-
+}
+
+
+static void nss_init_server_certs(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+ modnss_ctx_t *mctx)
+{
+ SECCertTimeValidity certtimestatus;
+ SECStatus secstatus;
+
+ PK11SlotInfo* slot = NULL;
+
+ /*
+ * Get own certificate and private key.
+ */
if (mctx->as_server) {
- secstatus = SSL_ConfigSecureServer(mctx->model, mctx->servercert, mctx->serverkey, mctx->serverKEAType);
- if (secstatus != SECSuccess) {
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "SSL error configuring server: '%s'", mctx->nickname);
- nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+#ifdef NSS_ENABLE_ECC
+ if (mctx->nickname == NULL && mctx->eccnickname == NULL)
+#else
+ if (mctx->nickname == NULL)
+#endif
+ {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "No certificate nickname provided.");
nss_die();
}
+
+ nss_init_certificate(s, mctx->nickname, &mctx->servercert,
+ &mctx->serverkey, &mctx->serverKEAType,
+ mctx->model, mctx->enforce);
+#ifdef NSS_ENABLE_ECC
+ nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
+ &mctx->eccserverkey, &mctx->eccserverKEAType,
+ mctx->model, mctx->enforce);
+#endif
}
+ secstatus = (SECStatus)SSL_SetPKCS11PinArg(mctx->model, NULL);
+ if (secstatus != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Error setting PKCS11 pin argument: '%s'", mctx->nickname);
+ nss_die();
+ }
+
secstatus = (SECStatus)SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback)NSSHandshakeCallback, NULL);
if (secstatus != SECSuccess)
{
@@ -958,8 +1014,16 @@ apr_status_t nss_init_ModuleKill(void *data)
sc = mySrvConfig(s);
if (sc->enabled) {
- CERT_DestroyCertificate(sc->server->servercert);
- SECKEY_DestroyPrivateKey(sc->server->serverkey);
+ if (sc->server->nickname) {
+ CERT_DestroyCertificate(sc->server->servercert);
+ SECKEY_DestroyPrivateKey(sc->server->serverkey);
+ }
+#ifdef NSS_ENABLE_ECC
+ if (sc->server->eccnickname) {
+ CERT_DestroyCertificate(sc->server->eccservercert);
+ SECKEY_DestroyPrivateKey(sc->server->eccserverkey);
+ }
+#endif
/* Closing this implicitly cleans up the copy of the certificates
* and keys associated with any SSL socket */
diff --git a/nss_engine_io.c b/nss_engine_io.c
index 1ac74e0..6d8d950 100644
--- a/nss_engine_io.c
+++ b/nss_engine_io.c
@@ -652,7 +652,7 @@ static apr_status_t nss_io_filter_cleanup(void *data)
conn_rec *c = filter_ctx->c;
SSLConnRec *sslconn = myConnConfig(c);
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, c->base_server,
"SSL connection destroyed without being closed");
PR_Close(sslconn->ssl);
@@ -859,7 +859,7 @@ static apr_status_t nss_io_filter_output(ap_filter_t *f,
filter_ctx->nobuffer = 1;
status = nss_filter_io_shutdown(filter_ctx, f->c, 0);
if (status != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_INFO, status, NULL,
+ ap_log_error(APLOG_MARK, APLOG_INFO, status, f->c->base_server,
"SSL filter error shutting down I/O");
}
if ((status = ap_pass_brigade(f->next, bb)) != APR_SUCCESS) {
diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c
index 167b9f0..84323c8 100644
--- a/nss_engine_kernel.c
+++ b/nss_engine_kernel.c
@@ -446,6 +446,9 @@ int nss_hook_Access(request_rec *r)
"Performing full renegotiation: "
"complete handshake protocol");
+ /* Do NOT call SSL_ResetHandshake as this will tear down the
+ * existing connection.
+ */
if (SSL_HandshakeCallback(ssl, HandshakeDone, (void *)&handshake_done) || SSL_ReHandshake(ssl, PR_TRUE)) {
int errCode = PR_GetError();
if (errCode == SEC_ERROR_INVALID_ARGS) {
@@ -461,7 +464,7 @@ int nss_hook_Access(request_rec *r)
return HTTP_FORBIDDEN;
}
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Awaiting re-negotiation handshake");
while (!handshake_done) {
@@ -500,7 +503,9 @@ int nss_hook_Access(request_rec *r)
"Re-negotiation handshake failed: "
"Not accepted by client!?");
+#if 0
r->connection->aborted = 1;
+#endif
return HTTP_FORBIDDEN;
}
}
@@ -724,6 +729,7 @@ static const char *nss_hook_Fixup_vars[] = {
"SSL_VERSION_LIBRARY",
"SSL_PROTOCOL",
"SSL_CIPHER",
+ "SSL_CIPHER_NAME",
"SSL_CIPHER_EXPORT",
"SSL_CIPHER_USEKEYSIZE",
"SSL_CIPHER_ALGKEYSIZE",
diff --git a/nss_engine_vars.c b/nss_engine_vars.c
index 4d18c9a..f5fb045 100644
--- a/nss_engine_vars.c
+++ b/nss_engine_vars.c
@@ -363,10 +363,10 @@ static char *nss_var_lookup_nss_cert(apr_pool_t *p, CERTCertificate *xs, char *v
if (SSL_GetCipherSuiteInfo(channel.cipherSuite,
&suite, sizeof suite) == SECSuccess)
{
- result = apr_psprintf(p, "%s", suite.keaTypeName);
+ result = apr_psprintf(p, "%s_%s", suite.keaTypeName, suite.authAlgorithmName);
}
} else
- result = apr_pstrdup(p, "UNKNOWN");
+ result = apr_pstrdup(p, "UNKNOWN_UNKNOWN");
resdup = FALSE;
}
@@ -582,6 +582,25 @@ static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var)
result = apr_psprintf(p, "%d", keySize);
resdup = FALSE;
}
+ else if (strcEQ(var, "_NAME")) {
+ SSLChannelInfo channel;
+ SSLCipherSuiteInfo suite;
+ SSLConnRec *sslconn = myConnConfig(c);
+
+ if (SSL_GetChannelInfo(sslconn->ssl, &channel, sizeof channel) ==
+ SECSuccess && channel.length == sizeof channel &&
+ channel.cipherSuite)
+ {
+ if (SSL_GetCipherSuiteInfo(channel.cipherSuite,
+ &suite, sizeof suite) == SECSuccess)
+ {
+ result = apr_psprintf(p, "%s", suite.cipherSuiteName);
+ }
+ } else
+ result = apr_pstrdup(p, "UNKNOWN");
+
+ resdup = FALSE;
+ }
if (result != NULL && resdup)
result = apr_pstrdup(p, result);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list