You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2013/12/05 05:53:34 UTC
git commit: TS-2372: improved OpenSSL EC key support detection
Updated Branches:
refs/heads/master 6ae5e9219 -> 14ef40ef2
TS-2372: improved OpenSSL EC key support detection
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/14ef40ef
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/14ef40ef
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/14ef40ef
Branch: refs/heads/master
Commit: 14ef40ef2f3bd4c62ed18a5737508167a57d371e
Parents: 6ae5e92
Author: James Peach <jp...@apache.org>
Authored: Wed Dec 4 20:52:48 2013 -0800
Committer: James Peach <jp...@apache.org>
Committed: Wed Dec 4 20:52:48 2013 -0800
----------------------------------------------------------------------
build/crypto.m4 | 15 ++++++++++++++-
configure.ac | 4 ++++
iocore/net/SSLUtils.cc | 6 +++++-
lib/ts/ink_config.h.in | 1 +
4 files changed, 24 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/build/crypto.m4
----------------------------------------------------------------------
diff --git a/build/crypto.m4 b/build/crypto.m4
index 20cefb7..998e147 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -111,6 +111,19 @@ fi
])
+AC_DEFUN([TS_CHECK_CRYPTO_EC_KEYS], [
+ _eckeys_saved_LIBS=$LIBS
+ TS_ADDTO(LIBS, [$LIBSSL])
+ AC_CHECK_HEADERS(openssl/ec.h)
+ AC_CHECK_FUNCS(EC_KEY_new_by_curve_name, [enable_tls_eckey=yes], [enable_tls_eckey=no])
+ LIBS=$_eckeys_saved_LIBS
+
+ AC_MSG_CHECKING(whether EC keys are supported)
+ AC_MSG_RESULT([$enable_tls_eckey])
+ TS_ARG_ENABLE_VAR([use], [tls-eckey])
+ AC_SUBST(use_tls_eckey)
+])
+
AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [
enable_tls_npn=yes
_npn_saved_LIBS=$LIBS
@@ -131,7 +144,7 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
enable_tls_sni=yes
TS_ADDTO(LIBS, [$LIBSSL])
- AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h openssl/ec.h)
+ AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h)
# We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a
# macro, so AC_CHECK_FUNCS is not going to do the business.
AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/configure.ac
----------------------------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 96bb953..dde8c40 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1123,6 +1123,10 @@ fi
TS_CHECK_CRYPTO_NEXTPROTONEG
#
+# Check for EC key support.
+TS_CHECK_CRYPTO_EC_KEYS
+
+#
# Check for ServerNameIndication TLS extension support.
TS_CHECK_CRYPTO_SNI
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 2dc691c..3ef6165 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -192,9 +192,11 @@ ssl_context_enable_sni(SSL_CTX * ctx, SSLCertLookup * lookup)
static void
ssl_enable_ecdh(SSL_CTX * ctx)
{
+#if TS_USE_TLS_ECKEY
+
#if defined(SSL_CTRL_SET_ECDH_AUTO)
SSL_CTX_set_ecdh_auto(ctx, 1);
-#elif defined(NID_X9_62_prime256v1)
+#elif defined(HAVE_EC_KEY_NEW_BY_CURVE_NAME) && defined(NID_X9_62_prime256v1)
EC_KEY * ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh) {
@@ -202,6 +204,8 @@ ssl_enable_ecdh(SSL_CTX * ctx)
EC_KEY_free(ecdh);
}
#endif
+
+#endif
}
void
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/lib/ts/ink_config.h.in
----------------------------------------------------------------------
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 9dfb46a..ee1e029 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -67,6 +67,7 @@
#define TS_USE_RECLAIMABLE_FREELIST @use_reclaimable_freelist@
#define TS_USE_TLS_NPN @use_tls_npn@
#define TS_USE_TLS_SNI @use_tls_sni@
+#define TS_USE_TLS_ECKEY @use_tls_eckey@
#define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
#define TS_USE_COP_DEBUG @use_cop_debug@
#define TS_USE_INTERIM_CACHE @has_interim_cache@