[Sblim-commit] Git: sfcb - Small Footprint CIM Broker branch, master_1.3, updated. 93a908cd8ab0e74d22a70849824453c3bb6d45b7

[Dave H. <hel...@us...>]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "sfcb - Small Footprint CIM Broker".

The branch, master_1.3 has been updated
       via  93a908cd8ab0e74d22a70849824453c3bb6d45b7 (commit)
      from  1afe5a3e6bf4c012e232bb0b87ccda55e3ccfdac (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 93a908cd8ab0e74d22a70849824453c3bb6d45b7
Author: Dave Heller <hel...@us...>
Date:   Wed Oct 23 21:19:35 2013 -0400

    [sfcb-tix:#87] Support configurable SSL ECDH elliptic curve name

-----------------------------------------------------------------------

Summary of changes:
 control.c       |    1 +
 httpAdapter.c   |   22 ++++++++++++++++++++++
 sfcb.cfg.pre.in |    9 +++++++++
 3 files changed, 32 insertions(+), 0 deletions(-)

diff --git a/control.c b/control.c
index 369399e..d7d833a 100644
--- a/control.c
+++ b/control.c
@@ -110,6 +110,7 @@ static Control init[] = {
    {"sslCertificateFilePath", 0, SFCB_CONFDIR "/server.pem"},
    {"sslCiphers", 0, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"},
    {"sslDhParamsFilePath", 0, NULL},
+   {"sslEcDhCurveName", 0, "secp224r1"},
 
    {"registrationDir", 0, SFCB_STATEDIR "/registration"},
    {"providerDirs", 3, SFCB_LIBDIR " " CMPI_LIBDIR " " LIBDIR}, /* 3: unstripped */
diff --git a/httpAdapter.c b/httpAdapter.c
index 8891e92..5c02237 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -1781,6 +1781,28 @@ initSSL()
   }
 #endif                          // HEADER_DH_H
 
+#if (defined HEADER_EC_H && !defined OPENSSL_NO_EC)
+  /*
+   * Set ECDH curve name for ephemeral key generation
+   */
+  char *ecdh_curve_name;
+  getControlChars("sslEcDhCurveName", &ecdh_curve_name);
+  if (ecdh_curve_name) {
+    _SFCB_TRACE(1, ("---  sslEcDhCurveName = %s", ecdh_curve_name));
+    EC_KEY *ecdh = EC_KEY_new_by_curve_name(OBJ_sn2nid(ecdh_curve_name));
+    if (ecdh) {
+      SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+      EC_KEY_free(ecdh);
+    } else {
+      unsigned long sslqerr = ERR_get_error();
+      mlogf(M_ERROR, M_SHOW, "--- Failure setting ECDH curve name (%s): %s\n",
+          ecdh_curve_name, sslqerr != 0 ?
+              ERR_error_string(sslqerr, NULL ) : "unknown openssl error");
+      intSSLerror("Error setting ECDH curve name for SSL");
+    }
+  }
+#endif                          // HEADER_EC_H
+
   sslReloadRequested = 0;
 }
 #endif                          // USE_SSL
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index f3f8f6e..457ffd7 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -219,6 +219,15 @@ sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
 ## Default is: not set
 #sslDhParamsFilePath: @sysconfdir@/sfcb/dh_param_file.pem
 
+## Configure a curve name for ECDH ephemeral key generation. See man
+## SSL_CTX_set_tmp_ecdh(3) for details. The value should be a curve name
+## listed by the "openssl ecparam -list_curves" command in the SFCB runtime
+## environment. If this value is not set, the indicated default is in effect.
+## If the value is set but the curve name is not recognized by the underlying
+## openssl implementation, SFCB will abort.
+## Default is secp224r1
+#sslEcDhCurveName: secp224r1
+
 ##---------------------------------- UDS --------------------------------------
 ## These options only apply if configured with --enable-uds
 


hooks/post-receive
-- 
sfcb - Small Footprint CIM Broker