This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "sfcb - Small Footprint CIM Broker".
The branch, master_1.3 has been updated
via 93a908cd8ab0e74d22a70849824453c3bb6d45b7 (commit)
from 1afe5a3e6bf4c012e232bb0b87ccda55e3ccfdac (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 93a908cd8ab0e74d22a70849824453c3bb6d45b7
Author: Dave Heller <hel...@us...>
Date: Wed Oct 23 21:19:35 2013 -0400
[sfcb-tix:#87] Support configurable SSL ECDH elliptic curve name
-----------------------------------------------------------------------
Summary of changes:
control.c | 1 +
httpAdapter.c | 22 ++++++++++++++++++++++
sfcb.cfg.pre.in | 9 +++++++++
3 files changed, 32 insertions(+), 0 deletions(-)
diff --git a/control.c b/control.c
index 369399e..d7d833a 100644
--- a/control.c
+++ b/control.c
@@ -110,6 +110,7 @@ static Control init[] = {
{"sslCertificateFilePath", 0, SFCB_CONFDIR "/server.pem"},
{"sslCiphers", 0, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"},
{"sslDhParamsFilePath", 0, NULL},
+ {"sslEcDhCurveName", 0, "secp224r1"},
{"registrationDir", 0, SFCB_STATEDIR "/registration"},
{"providerDirs", 3, SFCB_LIBDIR " " CMPI_LIBDIR " " LIBDIR}, /* 3: unstripped */
diff --git a/httpAdapter.c b/httpAdapter.c
index 8891e92..5c02237 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -1781,6 +1781,28 @@ initSSL()
}
#endif // HEADER_DH_H
+#if (defined HEADER_EC_H && !defined OPENSSL_NO_EC)
+ /*
+ * Set ECDH curve name for ephemeral key generation
+ */
+ char *ecdh_curve_name;
+ getControlChars("sslEcDhCurveName", &ecdh_curve_name);
+ if (ecdh_curve_name) {
+ _SFCB_TRACE(1, ("--- sslEcDhCurveName = %s", ecdh_curve_name));
+ EC_KEY *ecdh = EC_KEY_new_by_curve_name(OBJ_sn2nid(ecdh_curve_name));
+ if (ecdh) {
+ SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+ EC_KEY_free(ecdh);
+ } else {
+ unsigned long sslqerr = ERR_get_error();
+ mlogf(M_ERROR, M_SHOW, "--- Failure setting ECDH curve name (%s): %s\n",
+ ecdh_curve_name, sslqerr != 0 ?
+ ERR_error_string(sslqerr, NULL ) : "unknown openssl error");
+ intSSLerror("Error setting ECDH curve name for SSL");
+ }
+ }
+#endif // HEADER_EC_H
+
sslReloadRequested = 0;
}
#endif // USE_SSL
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index f3f8f6e..457ffd7 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -219,6 +219,15 @@ sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
## Default is: not set
#sslDhParamsFilePath: @sysconfdir@/sfcb/dh_param_file.pem
+## Configure a curve name for ECDH ephemeral key generation. See man
+## SSL_CTX_set_tmp_ecdh(3) for details. The value should be a curve name
+## listed by the "openssl ecparam -list_curves" command in the SFCB runtime
+## environment. If this value is not set, the indicated default is in effect.
+## If the value is set but the curve name is not recognized by the underlying
+## openssl implementation, SFCB will abort.
+## Default is secp224r1
+#sslEcDhCurveName: secp224r1
+
##---------------------------------- UDS --------------------------------------
## These options only apply if configured with --enable-uds
hooks/post-receive
--
sfcb - Small Footprint CIM Broker
|
