diff options
| author | rcritten <> | 2006-03-02 19:21:54 +0000 |
|---|---|---|
| committer | rcritten <> | 2006-03-02 19:21:54 +0000 |
| commit | b9131c4fa214f39705da4246425645a6c587d488 (patch) | |
| tree | 51330d53bb6e98f11ec74cd66c640fb7afa782f4 | |
| parent | 50ad8c993fc499f0d09cebd2d5f1517677f7e748 (diff) | |
| download | mod_nss-b9131c4fa214f39705da4246425645a6c587d488.tar.gz mod_nss-b9131c4fa214f39705da4246425645a6c587d488.tar.xz mod_nss-b9131c4fa214f39705da4246425645a6c587d488.zip | |
Add support for Elliptical Curve Cryptography (ECC). This is disabled
by default. To enable it, pass --enable-ecc to configure.
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rw-r--r-- | Makefile.in | 1 | ||||
| -rwxr-xr-x | configure | 103 | ||||
| -rw-r--r-- | configure.in | 17 | ||||
| -rw-r--r-- | mod_nss.c | 7 | ||||
| -rw-r--r-- | mod_nss.h | 16 | ||||
| -rw-r--r-- | nss.conf.in | 17 | ||||
| -rw-r--r-- | nss_engine_config.c | 19 | ||||
| -rw-r--r-- | nss_engine_init.c | 170 | ||||
| -rw-r--r-- | nss_engine_io.c | 4 | ||||
| -rw-r--r-- | nss_engine_kernel.c | 8 | ||||
| -rw-r--r-- | nss_engine_vars.c | 23 |
12 files changed, 271 insertions, 115 deletions
diff --git a/Makefile.am b/Makefile.am index 61500fc..66fa6a3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -12,7 +12,6 @@ libmodnss_la_LDFLAGS = -module -avoid-version ## Set the includes and libraries needed INCLUDES = -I@apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@ LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4 -@SSL2_TRUE@AM_CFLAGS=-DWANT_SSL2 EXTRA_CPPFLAGS=@extra_cppflags@ install-libLTLIBRARIES: libmodnss.la diff --git a/Makefile.in b/Makefile.in index 29e322c..a587bcf 100644 --- a/Makefile.in +++ b/Makefile.in @@ -121,7 +121,6 @@ libmodnss_la_LDFLAGS = -module -avoid-version INCLUDES = -I@apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@ LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4 -@SSL2_TRUE@AM_CFLAGS = -DWANT_SSL2 EXTRA_CPPFLAGS = @extra_cppflags@ LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ @@ -462,7 +462,7 @@ ac_includes_default="\ # include <unistd.h> #endif" -ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO AMTAR install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM AWK SET_MAKE CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE build build_cpu build_vendor build_os host host_cpu host_vendor host_os EGREP LN_S ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CPP CXX CXXFLAGS ac_ct_CXX CXXDEPMODE CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL YACC LEX LEXLIB LEX_OUTPUT_ROOT SSL2_TRUE SSL2_FALSE APR_CONFIG APXS PKG_CONFIG apr_inc apache_inc apache_conf apache_prefix apache_bin nspr_inc nspr_lib nss_inc nss_lib nspr_dir nss_dir extra_cppflags LIBOBJS LTLIBOBJS' +ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO AMTAR install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM AWK SET_MAKE CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE build build_cpu build_vendor build_os host host_cpu host_vendor host_os EGREP LN_S ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CPP CXX CXXFLAGS ac_ct_CXX CXXDEPMODE CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL YACC LEX LEXLIB LEX_OUTPUT_ROOT APR_CONFIG APXS PKG_CONFIG apr_inc apache_inc apache_conf apache_prefix apache_bin nspr_inc nspr_lib nss_inc nss_lib nspr_dir nss_dir extra_cppflags LIBOBJS LTLIBOBJS' ac_subst_files='' # Initialize some variables set by options. @@ -1032,6 +1032,7 @@ Optional Features: optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) --enable-ssl2 enable SSLv2 (default=no) + --enable-ecc enable Elliptical Curve Cyptography (default=no) Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -3568,7 +3569,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 3571 "configure"' > conftest.$ac_ext + echo '#line 3572 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -5100,7 +5101,7 @@ fi # Provide some information about the compiler. -echo "$as_me:5103:" \ +echo "$as_me:5104:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5 @@ -6134,11 +6135,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6137: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6138: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6141: \$? = $ac_status" >&5 + echo "$as_me:6142: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -6367,11 +6368,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6370: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6371: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6374: \$? = $ac_status" >&5 + echo "$as_me:6375: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -6427,11 +6428,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6430: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6431: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:6434: \$? = $ac_status" >&5 + echo "$as_me:6435: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -7761,7 +7762,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 7764 "configure"' > conftest.$ac_ext + echo '#line 7765 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -8632,7 +8633,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 8635 "configure" +#line 8636 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -8730,7 +8731,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 8733 "configure" +#line 8734 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -10909,11 +10910,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10912: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10913: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10916: \$? = $ac_status" >&5 + echo "$as_me:10917: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10969,11 +10970,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10972: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10973: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10976: \$? = $ac_status" >&5 + echo "$as_me:10977: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -11480,7 +11481,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 11483 "configure"' > conftest.$ac_ext + echo '#line 11484 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -12351,7 +12352,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 12354 "configure" +#line 12355 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12449,7 +12450,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 12452 "configure" +#line 12453 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -13276,11 +13277,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13279: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13280: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:13283: \$? = $ac_status" >&5 + echo "$as_me:13284: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -13336,11 +13337,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13339: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13340: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:13343: \$? = $ac_status" >&5 + echo "$as_me:13344: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -14650,7 +14651,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 14653 "configure"' > conftest.$ac_ext + echo '#line 14654 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -15391,11 +15392,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15394: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15395: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15398: \$? = $ac_status" >&5 + echo "$as_me:15399: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -15624,11 +15625,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15627: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15628: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15631: \$? = $ac_status" >&5 + echo "$as_me:15632: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -15684,11 +15685,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15687: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15688: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:15691: \$? = $ac_status" >&5 + echo "$as_me:15692: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -17018,7 +17019,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 17021 "configure"' > conftest.$ac_ext + echo '#line 17022 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -17889,7 +17890,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 17892 "configure" +#line 17893 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -17987,7 +17988,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 17990 "configure" +#line 17991 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -19761,20 +19762,31 @@ fi; if test $ssl2 = yes; then echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 + extra_cppflags="$extra_cppflags -DWANT_SSL2" else echo "$as_me:$LINENO: result: no" >&5 echo "${ECHO_T}no" >&6 fi +#AM_CONDITIONAL(SSL2, test x$ssl2 = xyes) - -if test x$ssl2 = xyes; then - SSL2_TRUE= - SSL2_FALSE='#' +echo "$as_me:$LINENO: checking for ECC" >&5 +echo $ECHO_N "checking for ECC... $ECHO_C" >&6 +# Check whether --enable-ecc or --disable-ecc was given. +if test "${enable_ecc+set}" = set; then + enableval="$enable_ecc" + ecc=$enableval +else + ecc=no +fi; +if test $ecc = yes; then + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + extra_cppflags="$extra_cppflags -DNSS_ENABLE_ECC" else - SSL2_TRUE='#' - SSL2_FALSE= + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 fi - +#AM_CONDITIONAL(ECC, test x$ecc = xyes) { echo "$as_me:$LINENO: checking for apr-config..." >&5 echo "$as_me: checking for apr-config..." >&6;} @@ -19954,7 +19966,7 @@ apache_inc=`$APXS -q INCLUDEDIR` apache_conf=`$APXS -q SYSCONFDIR` apache_prefix=`$APXS -q PREFIX` apache_bin=`$APXS -q SBINDIR` -extra_cppflags=`$APXS -q EXTRA_CPPFLAGS` +extra_cppflags="$extra_cppflags `$APXS -q EXTRA_CPPFLAGS`" if ! test -f "$apache_inc/apr.h"; then if test -z "$apr_inc"; then @@ -20387,13 +20399,6 @@ echo "$as_me: error: conditional \"AMDEP\" was never defined. Usually this means the macro was only invoked conditionally." >&2;} { (exit 1); exit 1; }; } fi -if test -z "${SSL2_TRUE}" && test -z "${SSL2_FALSE}"; then - { { echo "$as_me:$LINENO: error: conditional \"SSL2\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"SSL2\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi : ${CONFIG_STATUS=./config.status} ac_clean_files_save=$ac_clean_files @@ -20981,8 +20986,6 @@ s,@YACC@,$YACC,;t t s,@LEX@,$LEX,;t t s,@LEXLIB@,$LEXLIB,;t t s,@LEX_OUTPUT_ROOT@,$LEX_OUTPUT_ROOT,;t t -s,@SSL2_TRUE@,$SSL2_TRUE,;t t -s,@SSL2_FALSE@,$SSL2_FALSE,;t t s,@APR_CONFIG@,$APR_CONFIG,;t t s,@APXS@,$APXS,;t t s,@PKG_CONFIG@,$PKG_CONFIG,;t t diff --git a/configure.in b/configure.in index cf49ba9..351e7cd 100644 --- a/configure.in +++ b/configure.in @@ -28,10 +28,23 @@ AC_ARG_ENABLE(ssl2, ssl2=$enableval, ssl2=no) if test $ssl2 = yes; then AC_MSG_RESULT(yes) + extra_cppflags="$extra_cppflags -DWANT_SSL2" else AC_MSG_RESULT(no) fi -AM_CONDITIONAL(SSL2, test x$ssl2 = xyes) +#AM_CONDITIONAL(SSL2, test x$ssl2 = xyes) + +AC_MSG_CHECKING(for ECC) +AC_ARG_ENABLE(ecc, + [ --enable-ecc enable Elliptical Curve Cyptography (default=no)], + ecc=$enableval, ecc=no) +if test $ecc = yes; then + AC_MSG_RESULT(yes) + extra_cppflags="$extra_cppflags -DNSS_ENABLE_ECC" +else + AC_MSG_RESULT(no) +fi +#AM_CONDITIONAL(ECC, test x$ecc = xyes) AC_CHECKING(for apr-config) # check for --with-apr-config @@ -97,7 +110,7 @@ apache_inc=`$APXS -q INCLUDEDIR` apache_conf=`$APXS -q SYSCONFDIR` apache_prefix=`$APXS -q PREFIX` apache_bin=`$APXS -q SBINDIR` -extra_cppflags=`$APXS -q EXTRA_CPPFLAGS` +extra_cppflags="$extra_cppflags `$APXS -q EXTRA_CPPFLAGS`" if ! test -f "$apache_inc/apr.h"; then if test -z "$apr_inc"; then @@ -86,8 +86,13 @@ static const command_rec nss_config_cmds[] = { "SSL Client Authentication " "(`none', `optional', `require'") SSL_CMD_SRV(Nickname, TAKE1, - "SSL Server Certificate nickname " + "SSL RSA Server Certificate nickname " "(`Server-Cert'") +#ifdef NSS_ENABLE_ECC + SSL_CMD_SRV(ECCNickname, TAKE1, + "SSL ECC Server Certificate nickname " + "(`Server-Cert'") +#endif SSL_CMD_SRV(EnforceValidCerts, FLAG, "Require a valid, trust, non-expired server certificate (default on)" "(`on', `off'") @@ -268,11 +268,20 @@ typedef struct { int tlsrollback; int enforce; const char *nickname; +#ifdef NSS_ENABLE_ECC + const char *eccnickname; +#endif CERTCertificate *servercert; SECKEYPrivateKey *serverkey; SSLKEAType serverKEAType; +#ifdef NSS_ENABLE_ECC + CERTCertificate *eccservercert; + SECKEYPrivateKey *eccserverkey; + SSLKEAType eccserverKEAType; +#endif + PRFileDesc *model; /* used to model an SSL socket */ modnss_auth_ctx_t auth; @@ -329,7 +338,11 @@ typedef struct regex_t ap_regex_t; enum sslversion { SSL2=1, SSL3=2, TLS=4}; /* the table itself is defined in nss_engine_init.c */ +#ifdef NSS_ENABLE_ECC +#define ciphernum 48 +#else #define ciphernum 23 +#endif /* * function prototypes @@ -353,6 +366,9 @@ const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); +#ifdef NSS_ENABLE_ECC +const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); +#endif const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int); const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg); diff --git a/nss.conf.in b/nss.conf.in index 88787a7..ce5930d 100644 --- a/nss.conf.in +++ b/nss.conf.in @@ -86,14 +86,27 @@ NSSEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. -NSSCipherSuite +rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha + +# SSL 3 ciphers. SSL 2 is disabled by default. +NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha + +# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default. +# +# Comment out the NSSCipherSuite line above and use the one below if you have +# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography +#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha NSSProtocol SSLv3,TLSv1 # SSL Certificate Nickname: -# The nickname of the server certificate you are going to use. +# The nickname of the RSA server certificate you are going to use. NSSNickname Server-Cert +# SSL Certificate Nickname: +# The nickname of the ECC server certificate you are going to use, if you +# have an ECC-enabled version of NSS and mod_nss +#NSSECCNickname Server-Cert-ecc + # Server Certificate Database: # The NSS security database directory that holds the certificates and # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. diff --git a/nss_engine_config.c b/nss_engine_config.c index bd067c3..1865054 100644 --- a/nss_engine_config.c +++ b/nss_engine_config.c @@ -80,6 +80,9 @@ static void modnss_ctx_init(modnss_ctx_t *mctx) mctx->enforce = PR_TRUE; mctx->nickname = NULL; +#ifdef NSS_ENABLE_ECC + mctx->eccnickname = NULL; +#endif mctx->servercert = NULL; mctx->serverkey = NULL; @@ -162,6 +165,9 @@ static void modnss_ctx_cfg_merge(modnss_ctx_t *base, cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); cfgMerge(nickname, NULL); +#ifdef NSS_ENABLE_ECC + cfgMerge(eccnickname, NULL); +#endif cfgMerge(enforce, PR_TRUE); } @@ -416,6 +422,19 @@ const char *nss_cmd_NSSNickname(cmd_parms *cmd, return NULL; } +#ifdef NSS_ENABLE_ECC +const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->server->eccnickname = arg; + + return NULL; +} +#endif + const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); diff --git a/nss_engine_init.c b/nss_engine_init.c index 304ee9a..3333002 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -60,6 +60,34 @@ cipher_properties ciphers_def[ciphernum] = /* AES ciphers.*/ {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS}, {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS}, +#ifdef NSS_ENABLE_ECC + /* ECC ciphers.*/ + {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS}, + {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS}, + {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, + {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS}, + {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS}, + {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS}, + {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS}, + {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, + {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS}, + {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS}, + {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS}, + {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS}, + {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, + {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS}, + {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS}, + {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS}, + {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS}, + {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, + {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS}, + {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS}, + {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS}, + {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS}, + {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS}, + {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS}, + {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS}, +#endif }; static char *version_components[] = { @@ -722,7 +750,11 @@ static void nss_init_server_check(server_rec *s, apr_pool_t *ptemp, modnss_ctx_t *mctx) { - if (mctx->servercert != NULL || mctx->serverkey != NULL) { +#ifdef NSS_ENABLE_ECC + if (mctx->servercert != NULL || mctx->eccservercert != NULL) { +#else + if (mctx->servercert != NULL) { +#endif ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Illegal attempt to re-initialise SSL for server " "(theoretically shouldn't happen!)"); @@ -749,58 +781,50 @@ static void nss_init_ctx(server_rec *s, nss_init_ctx_cipher_suite(s, p, ptemp, mctx); } -static void nss_init_server_certs(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, - modnss_ctx_t *mctx) +static void nss_init_certificate(server_rec *s, const char *nickname, + CERTCertificate **servercert, + SECKEYPrivateKey **serverkey, + SSLKEAType *KEAtype, + PRFileDesc *model, + int enforce) { SECCertTimeValidity certtimestatus; SECStatus secstatus; PK11SlotInfo* slot = NULL; - - /* - * Get own certificate and private key. - */ - if (mctx->nickname == NULL && mctx->as_server) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "No certificate nickname provided."); - nss_die(); + if (nickname == NULL) { + return; } - if (mctx->nickname != NULL) { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Using nickname %s.", mctx->nickname); - mctx->servercert = FindServerCertFromNickname(mctx->nickname); - } + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Using nickname %s.", nickname); + + *servercert = FindServerCertFromNickname(nickname); /* Verify the certificate chain. */ - if (mctx->servercert != NULL && mctx->as_server) { + if (*servercert != NULL) { SECCertificateUsage usage = certificateUsageSSLServer; - if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), mctx->servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { + if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Certificate not verified: '%s'", mctx->nickname); + "Certificate not verified: '%s'", nickname); nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - if (mctx->enforce) { + if (enforce) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", mctx->nickname); + "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname); nss_die(); } } - } - - if (NULL == mctx->servercert && mctx->as_server) - { + } else { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Certificate not found: '%s'", mctx->nickname); + "Certificate not found: '%s'", nickname); nss_die(); } - if (mctx->nickname && strchr(mctx->nickname, ':')) + if (strchr(nickname, ':')) { - char* token = strdup(mctx->nickname); + char* token = strdup(nickname); char* colon = strchr(token, ':'); if (colon) { *colon = 0; @@ -822,21 +846,19 @@ static void nss_init_server_certs(server_rec *s, else { slot = PK11_GetInternalKeySlot(); } - - if (mctx->servercert) { - mctx->serverkey = PK11_FindPrivateKeyFromCert(slot, mctx->servercert, NULL); - } + + *serverkey = PK11_FindPrivateKeyFromCert(slot, *servercert, NULL); + PK11_FreeSlot(slot); - if (mctx->as_server && mctx->serverkey == NULL) { + if (*serverkey == NULL) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Key not found for: '%s'", mctx->nickname); + "Key not found for: '%s'", nickname); nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); nss_die(); } - if (mctx->as_server) { - mctx->serverKEAType = NSS_FindCertKEAType(mctx->servercert); + *KEAtype = NSS_FindCertKEAType(*servercert); /* * Check for certs that are expired or not yet valid and WARN about it @@ -846,7 +868,7 @@ static void nss_init_server_certs(server_rec *s, * for every virtual server - too expensive? */ - certtimestatus = CERT_CheckCertValidTimes(mctx->servercert, PR_Now(), PR_FALSE); + certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE); switch (certtimestatus) { case secCertTimeValid: @@ -854,35 +876,69 @@ static void nss_init_server_certs(server_rec *s, break; case secCertTimeExpired: ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Server certificate is expired: '%s'", mctx->nickname); + "Server certificate is expired: '%s'", nickname); break; case secCertTimeNotValidYet: ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Certificate is not valid yet '%s'", mctx->nickname); + "Certificate is not valid yet '%s'", nickname); default: ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Unhandled Certificate time type %d for: '%s'", certtimestatus, mctx->nickname); + "Unhandled Certificate time type %d for: '%s'", certtimestatus, nickname); break; } - } - secstatus = (SECStatus)SSL_SetPKCS11PinArg(mctx->model, NULL); + secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype); if (secstatus != SECSuccess) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Error setting PKCS11 pin argument: '%s'", mctx->nickname); + "SSL error configuring server: '%s'", nickname); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); nss_die(); } - +} + + +static void nss_init_server_certs(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, + modnss_ctx_t *mctx) +{ + SECCertTimeValidity certtimestatus; + SECStatus secstatus; + + PK11SlotInfo* slot = NULL; + + /* + * Get own certificate and private key. + */ if (mctx->as_server) { - secstatus = SSL_ConfigSecureServer(mctx->model, mctx->servercert, mctx->serverkey, mctx->serverKEAType); - if (secstatus != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "SSL error configuring server: '%s'", mctx->nickname); - nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); +#ifdef NSS_ENABLE_ECC + if (mctx->nickname == NULL && mctx->eccnickname == NULL) +#else + if (mctx->nickname == NULL) +#endif + { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "No certificate nickname provided."); nss_die(); } + + nss_init_certificate(s, mctx->nickname, &mctx->servercert, + &mctx->serverkey, &mctx->serverKEAType, + mctx->model, mctx->enforce); +#ifdef NSS_ENABLE_ECC + nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert, + &mctx->eccserverkey, &mctx->eccserverKEAType, + mctx->model, mctx->enforce); +#endif } + secstatus = (SECStatus)SSL_SetPKCS11PinArg(mctx->model, NULL); + if (secstatus != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Error setting PKCS11 pin argument: '%s'", mctx->nickname); + nss_die(); + } + secstatus = (SECStatus)SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback)NSSHandshakeCallback, NULL); if (secstatus != SECSuccess) { @@ -958,8 +1014,16 @@ apr_status_t nss_init_ModuleKill(void *data) sc = mySrvConfig(s); if (sc->enabled) { - CERT_DestroyCertificate(sc->server->servercert); - SECKEY_DestroyPrivateKey(sc->server->serverkey); + if (sc->server->nickname) { + CERT_DestroyCertificate(sc->server->servercert); + SECKEY_DestroyPrivateKey(sc->server->serverkey); + } +#ifdef NSS_ENABLE_ECC + if (sc->server->eccnickname) { + CERT_DestroyCertificate(sc->server->eccservercert); + SECKEY_DestroyPrivateKey(sc->server->eccserverkey); + } +#endif /* Closing this implicitly cleans up the copy of the certificates * and keys associated with any SSL socket */ diff --git a/nss_engine_io.c b/nss_engine_io.c index 1ac74e0..6d8d950 100644 --- a/nss_engine_io.c +++ b/nss_engine_io.c @@ -652,7 +652,7 @@ static apr_status_t nss_io_filter_cleanup(void *data) conn_rec *c = filter_ctx->c; SSLConnRec *sslconn = myConnConfig(c); - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, c->base_server, "SSL connection destroyed without being closed"); PR_Close(sslconn->ssl); @@ -859,7 +859,7 @@ static apr_status_t nss_io_filter_output(ap_filter_t *f, filter_ctx->nobuffer = 1; status = nss_filter_io_shutdown(filter_ctx, f->c, 0); if (status != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_INFO, status, NULL, + ap_log_error(APLOG_MARK, APLOG_INFO, status, f->c->base_server, "SSL filter error shutting down I/O"); } if ((status = ap_pass_brigade(f->next, bb)) != APR_SUCCESS) { diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c index 167b9f0..84323c8 100644 --- a/nss_engine_kernel.c +++ b/nss_engine_kernel.c @@ -446,6 +446,9 @@ int nss_hook_Access(request_rec *r) "Performing full renegotiation: " "complete handshake protocol"); + /* Do NOT call SSL_ResetHandshake as this will tear down the + * existing connection. + */ if (SSL_HandshakeCallback(ssl, HandshakeDone, (void *)&handshake_done) || SSL_ReHandshake(ssl, PR_TRUE)) { int errCode = PR_GetError(); if (errCode == SEC_ERROR_INVALID_ARGS) { @@ -461,7 +464,7 @@ int nss_hook_Access(request_rec *r) return HTTP_FORBIDDEN; } - ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "Awaiting re-negotiation handshake"); while (!handshake_done) { @@ -500,7 +503,9 @@ int nss_hook_Access(request_rec *r) "Re-negotiation handshake failed: " "Not accepted by client!?"); +#if 0 r->connection->aborted = 1; +#endif return HTTP_FORBIDDEN; } } @@ -724,6 +729,7 @@ static const char *nss_hook_Fixup_vars[] = { "SSL_VERSION_LIBRARY", "SSL_PROTOCOL", "SSL_CIPHER", + "SSL_CIPHER_NAME", "SSL_CIPHER_EXPORT", "SSL_CIPHER_USEKEYSIZE", "SSL_CIPHER_ALGKEYSIZE", diff --git a/nss_engine_vars.c b/nss_engine_vars.c index 4d18c9a..f5fb045 100644 --- a/nss_engine_vars.c +++ b/nss_engine_vars.c @@ -363,10 +363,10 @@ static char *nss_var_lookup_nss_cert(apr_pool_t *p, CERTCertificate *xs, char *v if (SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof suite) == SECSuccess) { - result = apr_psprintf(p, "%s", suite.keaTypeName); + result = apr_psprintf(p, "%s_%s", suite.keaTypeName, suite.authAlgorithmName); } } else - result = apr_pstrdup(p, "UNKNOWN"); + result = apr_pstrdup(p, "UNKNOWN_UNKNOWN"); resdup = FALSE; } @@ -582,6 +582,25 @@ static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var) result = apr_psprintf(p, "%d", keySize); resdup = FALSE; } + else if (strcEQ(var, "_NAME")) { + SSLChannelInfo channel; + SSLCipherSuiteInfo suite; + SSLConnRec *sslconn = myConnConfig(c); + + if (SSL_GetChannelInfo(sslconn->ssl, &channel, sizeof channel) == + SECSuccess && channel.length == sizeof channel && + channel.cipherSuite) + { + if (SSL_GetCipherSuiteInfo(channel.cipherSuite, + &suite, sizeof suite) == SECSuccess) + { + result = apr_psprintf(p, "%s", suite.cipherSuiteName); + } + } else + result = apr_pstrdup(p, "UNKNOWN"); + + resdup = FALSE; + } if (result != NULL && resdup) result = apr_pstrdup(p, result); |