This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "sfcb - Small Footprint CIM Broker".
The branch, master has been updated
via cc5e641739542c764d9803119720641447d9ea32 (commit)
from 75a18c1ac51fa6a8fa9684168e010588312bfc60 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cc5e641739542c764d9803119720641447d9ea32
Author: Dave Heller <hel...@us...>
Date: Wed Oct 23 20:45:50 2013 -0400
[sfcb-tix:#87] Support configurable SSL ECDH elliptic curve name
-----------------------------------------------------------------------
Summary of changes:
control.c | 1 +
httpAdapter.c | 22 ++++++++++++++++++++++
sfcb.cfg.pre.in | 9 +++++++++
3 files changed, 32 insertions(+), 0 deletions(-)
diff --git a/control.c b/control.c
index 2ae5e8a..1e64c42 100644
--- a/control.c
+++ b/control.c
@@ -118,6 +118,7 @@ static Control init[] = {
{"sslCertList", CTL_STRING, SFCB_CONFDIR "/clist.pem", {0}},
{"sslCiphers", CTL_STRING, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", {0}},
{"sslDhParamsFilePath", CTL_STRING, NULL, {0}},
+ {"sslEcDhCurveName", CTL_STRING, "secp224r1", {0}},
{"registrationDir", CTL_STRING, SFCB_STATEDIR "/registration", {0}},
{"providerDirs", CTL_USTRING, SFCB_LIBDIR " " CMPI_LIBDIR " " LIBDIR, {0}},
diff --git a/httpAdapter.c b/httpAdapter.c
index 8a11ee3..6ebf481 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -2098,6 +2098,28 @@ initSSL()
}
#endif // HEADER_DH_H
+#if (defined HEADER_EC_H && !defined OPENSSL_NO_EC)
+ /*
+ * Set ECDH curve name for ephemeral key generation
+ */
+ char *ecdh_curve_name;
+ getControlChars("sslEcDhCurveName", &ecdh_curve_name);
+ if (ecdh_curve_name) {
+ _SFCB_TRACE(1, ("--- sslEcDhCurveName = %s", ecdh_curve_name));
+ EC_KEY *ecdh = EC_KEY_new_by_curve_name(OBJ_sn2nid(ecdh_curve_name));
+ if (ecdh) {
+ SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+ EC_KEY_free(ecdh);
+ } else {
+ unsigned long sslqerr = ERR_get_error();
+ mlogf(M_ERROR, M_SHOW, "--- Failure setting ECDH curve name (%s): %s\n",
+ ecdh_curve_name, sslqerr != 0 ?
+ ERR_error_string(sslqerr, NULL ) : "unknown openssl error");
+ intSSLerror("Error setting ECDH curve name for SSL");
+ }
+ }
+#endif // HEADER_EC_H
+
sslReloadRequested = 0;
}
#endif // USE_SSL
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index f61d8df..d575a7e 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -282,6 +282,15 @@ sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
## Default is: not set
#sslDhParamsFilePath: @sysconfdir@/sfcb/dh_param_file.pem
+## Configure a curve name for ECDH ephemeral key generation. See man
+## SSL_CTX_set_tmp_ecdh(3) for details. The value should be a curve name
+## listed by the "openssl ecparam -list_curves" command in the SFCB runtime
+## environment. If this value is not set, the indicated default is in effect.
+## If the value is set but the curve name is not recognized by the underlying
+## openssl implementation, SFCB will abort.
+## Default is secp224r1
+#sslEcDhCurveName: secp224r1
+
##---------------------------------- UDS --------------------------------------
## These options only apply if configured with --enable-uds
hooks/post-receive
--
sfcb - Small Footprint CIM Broker
|
