You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2013/12/05 05:53:34 UTC

git commit: TS-2372: improved OpenSSL EC key support detection

Updated Branches:
  refs/heads/master 6ae5e9219 -> 14ef40ef2


TS-2372: improved OpenSSL EC key support detection


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/14ef40ef
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/14ef40ef
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/14ef40ef

Branch: refs/heads/master
Commit: 14ef40ef2f3bd4c62ed18a5737508167a57d371e
Parents: 6ae5e92
Author: James Peach <jp...@apache.org>
Authored: Wed Dec 4 20:52:48 2013 -0800
Committer: James Peach <jp...@apache.org>
Committed: Wed Dec 4 20:52:48 2013 -0800

----------------------------------------------------------------------
 build/crypto.m4        | 15 ++++++++++++++-
 configure.ac           |  4 ++++
 iocore/net/SSLUtils.cc |  6 +++++-
 lib/ts/ink_config.h.in |  1 +
 4 files changed, 24 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/build/crypto.m4
----------------------------------------------------------------------
diff --git a/build/crypto.m4 b/build/crypto.m4
index 20cefb7..998e147 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -111,6 +111,19 @@ fi
 
 ])
 
+AC_DEFUN([TS_CHECK_CRYPTO_EC_KEYS], [
+  _eckeys_saved_LIBS=$LIBS
+  TS_ADDTO(LIBS, [$LIBSSL])
+  AC_CHECK_HEADERS(openssl/ec.h)
+  AC_CHECK_FUNCS(EC_KEY_new_by_curve_name, [enable_tls_eckey=yes], [enable_tls_eckey=no])
+  LIBS=$_eckeys_saved_LIBS
+
+  AC_MSG_CHECKING(whether EC keys are supported)
+  AC_MSG_RESULT([$enable_tls_eckey])
+  TS_ARG_ENABLE_VAR([use], [tls-eckey])
+  AC_SUBST(use_tls_eckey)
+])
+
 AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [
   enable_tls_npn=yes
   _npn_saved_LIBS=$LIBS
@@ -131,7 +144,7 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
   enable_tls_sni=yes
 
   TS_ADDTO(LIBS, [$LIBSSL])
-  AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h openssl/ec.h)
+  AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h)
   # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a
   # macro, so AC_CHECK_FUNCS is not going to do the business.
   AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/configure.ac
----------------------------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 96bb953..dde8c40 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1123,6 +1123,10 @@ fi
 TS_CHECK_CRYPTO_NEXTPROTONEG
 
 #
+# Check for EC key support.
+TS_CHECK_CRYPTO_EC_KEYS
+
+#
 # Check for ServerNameIndication TLS extension support.
 TS_CHECK_CRYPTO_SNI
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 2dc691c..3ef6165 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -192,9 +192,11 @@ ssl_context_enable_sni(SSL_CTX * ctx, SSLCertLookup * lookup)
 static void
 ssl_enable_ecdh(SSL_CTX * ctx)
 {
+#if TS_USE_TLS_ECKEY
+
 #if defined(SSL_CTRL_SET_ECDH_AUTO)
   SSL_CTX_set_ecdh_auto(ctx, 1);
-#elif defined(NID_X9_62_prime256v1)
+#elif defined(HAVE_EC_KEY_NEW_BY_CURVE_NAME) && defined(NID_X9_62_prime256v1)
   EC_KEY * ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
 
   if (ecdh) {
@@ -202,6 +204,8 @@ ssl_enable_ecdh(SSL_CTX * ctx)
     EC_KEY_free(ecdh);
   }
 #endif
+
+#endif
 }
 
 void

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/14ef40ef/lib/ts/ink_config.h.in
----------------------------------------------------------------------
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 9dfb46a..ee1e029 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -67,6 +67,7 @@
 #define TS_USE_RECLAIMABLE_FREELIST    @use_reclaimable_freelist@
 #define TS_USE_TLS_NPN                 @use_tls_npn@
 #define TS_USE_TLS_SNI                 @use_tls_sni@
+#define TS_USE_TLS_ECKEY               @use_tls_eckey@
 #define TS_USE_LINUX_NATIVE_AIO        @use_linux_native_aio@
 #define TS_USE_COP_DEBUG               @use_cop_debug@
 #define TS_USE_INTERIM_CACHE           @has_interim_cache@