[Fedora-directory-commits] mod_nss Makefile.am, 1.10, 1.11 Makefile.in, 1.17, 1.18 configure, 1.14, 1.15 configure.in, 1.10, 1.11 mod_nss.c, 1.10, 1.11 mod_nss.h, 1.9, 1.10 nss.conf.in, 1.7, 1.8 nss_engine_config.c, 1.9, 1.10 nss_engine_init.c, 1.16, 1.17 nss_engine_io.c, 1.4, 1.5 nss_engine_kernel.c, 1.3, 1.4 nss_engine_vars.c, 1.4, 1.5
Robert Crittenden (rcritten)
fedora-directory-commits at redhat.com
Thu Mar 2 19:22:02 UTC 2006
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29295
Modified Files:
Makefile.am Makefile.in configure configure.in mod_nss.c
mod_nss.h nss.conf.in nss_engine_config.c nss_engine_init.c
nss_engine_io.c nss_engine_kernel.c nss_engine_vars.c
Log Message:
Add support for Elliptical Curve Cryptography (ECC). This is disabled
by default. To enable it, pass --enable-ecc to configure.
Index: Makefile.am
===================================================================
RCS file: /cvs/dirsec/mod_nss/Makefile.am,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- Makefile.am 26 Feb 2006 00:30:56 -0000 1.10
+++ Makefile.am 2 Mar 2006 19:21:54 -0000 1.11
@@ -12,7 +12,6 @@
## Set the includes and libraries needed
INCLUDES = -I at apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@
LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4
- at SSL2_TRUE@AM_CFLAGS=-DWANT_SSL2
EXTRA_CPPFLAGS=@extra_cppflags@
install-libLTLIBRARIES: libmodnss.la
Index: Makefile.in
===================================================================
RCS file: /cvs/dirsec/mod_nss/Makefile.in,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- Makefile.in 26 Feb 2006 00:30:56 -0000 1.17
+++ Makefile.in 2 Mar 2006 19:21:54 -0000 1.18
@@ -121,7 +121,6 @@
INCLUDES = -I at apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@
LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4
- at SSL2_TRUE@AM_CFLAGS = -DWANT_SSL2
EXTRA_CPPFLAGS = @extra_cppflags@
LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
Index: configure
===================================================================
RCS file: /cvs/dirsec/mod_nss/configure,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- configure 26 Feb 2006 00:34:57 -0000 1.14
+++ configure 2 Mar 2006 19:21:54 -0000 1.15
@@ -462,7 +462,7 @@
# include <unistd.h>
#endif"
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO AMTAR install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM AWK SET_MAKE CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE build build_cpu build_vendor build_os host host_cpu host_vendor host_os EGREP LN_S ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CPP CXX CXXFLAGS ac_ct_CXX CXXDEPMODE CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL YACC LEX LEXLIB LEX_OUTPUT_ROOT SSL2_TRUE SSL2_FALSE APR_CONFIG APXS PKG_CONFIG apr_inc apache_inc apache_conf apache_prefix apache_bin nspr_inc ns!
pr_lib nss_inc nss_lib nspr_dir nss_dir extra_cppflags LIBOBJS LTLIBOBJS'
+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO AMTAR install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM AWK SET_MAKE CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE build build_cpu build_vendor build_os host host_cpu host_vendor host_os EGREP LN_S ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CPP CXX CXXFLAGS ac_ct_CXX CXXDEPMODE CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL YACC LEX LEXLIB LEX_OUTPUT_ROOT APR_CONFIG APXS PKG_CONFIG apr_inc apache_inc apache_conf apache_prefix apache_bin nspr_inc nspr_lib nss_inc nss_li!
b nspr_dir nss_dir extra_cppflags LIBOBJS LTLIBOBJS'
ac_subst_files=''
# Initialize some variables set by options.
@@ -1032,6 +1032,7 @@
optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds)
--enable-ssl2 enable SSLv2 (default=no)
+ --enable-ecc enable Elliptical Curve Cyptography (default=no)
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -3568,7 +3569,7 @@
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 3571 "configure"' > conftest.$ac_ext
+ echo '#line 3572 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -5100,7 +5101,7 @@
# Provide some information about the compiler.
-echo "$as_me:5103:" \
+echo "$as_me:5104:" \
"checking for Fortran 77 compiler version" >&5
ac_compiler=`set X $ac_compile; echo $2`
{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
@@ -6134,11 +6135,11 @@
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:6137: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:6138: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:6141: \$? = $ac_status" >&5
+ echo "$as_me:6142: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -6367,11 +6368,11 @@
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:6370: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:6371: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:6374: \$? = $ac_status" >&5
+ echo "$as_me:6375: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -6427,11 +6428,11 @@
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:6430: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:6431: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:6434: \$? = $ac_status" >&5
+ echo "$as_me:6435: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -7761,7 +7762,7 @@
libsuff=
case "$host_cpu" in
x86_64*|s390x*|powerpc64*)
- echo '#line 7764 "configure"' > conftest.$ac_ext
+ echo '#line 7765 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -8632,7 +8633,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 8635 "configure"
+#line 8636 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -8730,7 +8731,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 8733 "configure"
+#line 8734 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -10909,11 +10910,11 @@
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10912: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10913: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:10916: \$? = $ac_status" >&5
+ echo "$as_me:10917: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -10969,11 +10970,11 @@
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10972: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10973: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:10976: \$? = $ac_status" >&5
+ echo "$as_me:10977: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -11480,7 +11481,7 @@
libsuff=
case "$host_cpu" in
x86_64*|s390x*|powerpc64*)
- echo '#line 11483 "configure"' > conftest.$ac_ext
+ echo '#line 11484 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -12351,7 +12352,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 12354 "configure"
+#line 12355 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -12449,7 +12450,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 12452 "configure"
+#line 12453 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -13276,11 +13277,11 @@
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:13279: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:13280: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:13283: \$? = $ac_status" >&5
+ echo "$as_me:13284: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -13336,11 +13337,11 @@
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:13339: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:13340: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:13343: \$? = $ac_status" >&5
+ echo "$as_me:13344: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -14650,7 +14651,7 @@
libsuff=
case "$host_cpu" in
x86_64*|s390x*|powerpc64*)
- echo '#line 14653 "configure"' > conftest.$ac_ext
+ echo '#line 14654 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -15391,11 +15392,11 @@
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:15394: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:15395: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:15398: \$? = $ac_status" >&5
+ echo "$as_me:15399: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -15624,11 +15625,11 @@
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:15627: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:15628: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:15631: \$? = $ac_status" >&5
+ echo "$as_me:15632: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@@ -15684,11 +15685,11 @@
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:15687: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:15688: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:15691: \$? = $ac_status" >&5
+ echo "$as_me:15692: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -17018,7 +17019,7 @@
libsuff=
case "$host_cpu" in
x86_64*|s390x*|powerpc64*)
- echo '#line 17021 "configure"' > conftest.$ac_ext
+ echo '#line 17022 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -17889,7 +17890,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 17892 "configure"
+#line 17893 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -17987,7 +17988,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 17990 "configure"
+#line 17991 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -19761,20 +19762,31 @@
if test $ssl2 = yes; then
echo "$as_me:$LINENO: result: yes" >&5
echo "${ECHO_T}yes" >&6
+ extra_cppflags="$extra_cppflags -DWANT_SSL2"
else
echo "$as_me:$LINENO: result: no" >&5
echo "${ECHO_T}no" >&6
fi
+#AM_CONDITIONAL(SSL2, test x$ssl2 = xyes)
-
-if test x$ssl2 = xyes; then
- SSL2_TRUE=
- SSL2_FALSE='#'
+echo "$as_me:$LINENO: checking for ECC" >&5
+echo $ECHO_N "checking for ECC... $ECHO_C" >&6
+# Check whether --enable-ecc or --disable-ecc was given.
+if test "${enable_ecc+set}" = set; then
+ enableval="$enable_ecc"
+ ecc=$enableval
+else
+ ecc=no
+fi;
+if test $ecc = yes; then
+ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+ extra_cppflags="$extra_cppflags -DNSS_ENABLE_ECC"
else
- SSL2_TRUE='#'
- SSL2_FALSE=
+ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
fi
-
+#AM_CONDITIONAL(ECC, test x$ecc = xyes)
{ echo "$as_me:$LINENO: checking for apr-config..." >&5
echo "$as_me: checking for apr-config..." >&6;}
@@ -19954,7 +19966,7 @@
apache_conf=`$APXS -q SYSCONFDIR`
apache_prefix=`$APXS -q PREFIX`
apache_bin=`$APXS -q SBINDIR`
-extra_cppflags=`$APXS -q EXTRA_CPPFLAGS`
+extra_cppflags="$extra_cppflags `$APXS -q EXTRA_CPPFLAGS`"
if ! test -f "$apache_inc/apr.h"; then
if test -z "$apr_inc"; then
@@ -20387,13 +20399,6 @@
Usually this means the macro was only invoked conditionally." >&2;}
{ (exit 1); exit 1; }; }
fi
-if test -z "${SSL2_TRUE}" && test -z "${SSL2_FALSE}"; then
- { { echo "$as_me:$LINENO: error: conditional \"SSL2\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"SSL2\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
- { (exit 1); exit 1; }; }
-fi
: ${CONFIG_STATUS=./config.status}
ac_clean_files_save=$ac_clean_files
@@ -20981,8 +20986,6 @@
s, at LEX@,$LEX,;t t
s, at LEXLIB@,$LEXLIB,;t t
s, at LEX_OUTPUT_ROOT@,$LEX_OUTPUT_ROOT,;t t
-s, at SSL2_TRUE@,$SSL2_TRUE,;t t
-s, at SSL2_FALSE@,$SSL2_FALSE,;t t
s, at APR_CONFIG@,$APR_CONFIG,;t t
s, at APXS@,$APXS,;t t
s, at PKG_CONFIG@,$PKG_CONFIG,;t t
Index: configure.in
===================================================================
RCS file: /cvs/dirsec/mod_nss/configure.in,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- configure.in 26 Feb 2006 00:30:56 -0000 1.10
+++ configure.in 2 Mar 2006 19:21:54 -0000 1.11
@@ -28,10 +28,23 @@
ssl2=$enableval, ssl2=no)
if test $ssl2 = yes; then
AC_MSG_RESULT(yes)
+ extra_cppflags="$extra_cppflags -DWANT_SSL2"
else
AC_MSG_RESULT(no)
fi
-AM_CONDITIONAL(SSL2, test x$ssl2 = xyes)
+#AM_CONDITIONAL(SSL2, test x$ssl2 = xyes)
+
+AC_MSG_CHECKING(for ECC)
+AC_ARG_ENABLE(ecc,
+ [ --enable-ecc enable Elliptical Curve Cyptography (default=no)],
+ ecc=$enableval, ecc=no)
+if test $ecc = yes; then
+ AC_MSG_RESULT(yes)
+ extra_cppflags="$extra_cppflags -DNSS_ENABLE_ECC"
+else
+ AC_MSG_RESULT(no)
+fi
+#AM_CONDITIONAL(ECC, test x$ecc = xyes)
AC_CHECKING(for apr-config)
# check for --with-apr-config
@@ -97,7 +110,7 @@
apache_conf=`$APXS -q SYSCONFDIR`
apache_prefix=`$APXS -q PREFIX`
apache_bin=`$APXS -q SBINDIR`
-extra_cppflags=`$APXS -q EXTRA_CPPFLAGS`
+extra_cppflags="$extra_cppflags `$APXS -q EXTRA_CPPFLAGS`"
if ! test -f "$apache_inc/apr.h"; then
if test -z "$apr_inc"; then
Index: mod_nss.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- mod_nss.c 4 Jan 2006 22:07:58 -0000 1.10
+++ mod_nss.c 2 Mar 2006 19:21:54 -0000 1.11
@@ -86,8 +86,13 @@
"SSL Client Authentication "
"(`none', `optional', `require'")
SSL_CMD_SRV(Nickname, TAKE1,
- "SSL Server Certificate nickname "
+ "SSL RSA Server Certificate nickname "
"(`Server-Cert'")
+#ifdef NSS_ENABLE_ECC
+ SSL_CMD_SRV(ECCNickname, TAKE1,
+ "SSL ECC Server Certificate nickname "
+ "(`Server-Cert'")
+#endif
SSL_CMD_SRV(EnforceValidCerts, FLAG,
"Require a valid, trust, non-expired server certificate (default on)"
"(`on', `off'")
Index: mod_nss.h
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.h,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- mod_nss.h 4 Jan 2006 22:07:58 -0000 1.9
+++ mod_nss.h 2 Mar 2006 19:21:54 -0000 1.10
@@ -268,11 +268,20 @@
int tlsrollback;
int enforce;
const char *nickname;
+#ifdef NSS_ENABLE_ECC
+ const char *eccnickname;
+#endif
CERTCertificate *servercert;
SECKEYPrivateKey *serverkey;
SSLKEAType serverKEAType;
+#ifdef NSS_ENABLE_ECC
+ CERTCertificate *eccservercert;
+ SECKEYPrivateKey *eccserverkey;
+ SSLKEAType eccserverKEAType;
+#endif
+
PRFileDesc *model; /* used to model an SSL socket */
modnss_auth_ctx_t auth;
@@ -329,7 +338,11 @@
enum sslversion { SSL2=1, SSL3=2, TLS=4};
/* the table itself is defined in nss_engine_init.c */
+#ifdef NSS_ENABLE_ECC
+#define ciphernum 48
+#else
#define ciphernum 23
+#endif
/*
* function prototypes
@@ -353,6 +366,9 @@
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#ifdef NSS_ENABLE_ECC
+const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#endif
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int);
const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
Index: nss.conf.in
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss.conf.in,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- nss.conf.in 3 Oct 2005 14:59:26 -0000 1.7
+++ nss.conf.in 2 Mar 2006 19:21:54 -0000 1.8
@@ -86,14 +86,27 @@
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
-NSSCipherSuite +rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha
+
+# SSL 3 ciphers. SSL 2 is disabled by default.
+NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
+
+# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
+#
+# Comment out the NSSCipherSuite line above and use the one below if you have
+# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
+#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
# SSL Certificate Nickname:
-# The nickname of the server certificate you are going to use.
+# The nickname of the RSA server certificate you are going to use.
NSSNickname Server-Cert
+# SSL Certificate Nickname:
+# The nickname of the ECC server certificate you are going to use, if you
+# have an ECC-enabled version of NSS and mod_nss
+#NSSECCNickname Server-Cert-ecc
+
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
Index: nss_engine_config.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_config.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- nss_engine_config.c 3 Oct 2005 14:59:26 -0000 1.9
+++ nss_engine_config.c 2 Mar 2006 19:21:54 -0000 1.10
@@ -80,6 +80,9 @@
mctx->enforce = PR_TRUE;
mctx->nickname = NULL;
+#ifdef NSS_ENABLE_ECC
+ mctx->eccnickname = NULL;
+#endif
mctx->servercert = NULL;
mctx->serverkey = NULL;
@@ -162,6 +165,9 @@
cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
cfgMerge(nickname, NULL);
+#ifdef NSS_ENABLE_ECC
+ cfgMerge(eccnickname, NULL);
+#endif
cfgMerge(enforce, PR_TRUE);
}
@@ -416,6 +422,19 @@
return NULL;
}
+#ifdef NSS_ENABLE_ECC
+const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->eccnickname = arg;
+
+ return NULL;
+}
+#endif
+
const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
Index: nss_engine_init.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_init.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- nss_engine_init.c 28 Oct 2005 18:20:01 -0000 1.16
+++ nss_engine_init.c 2 Mar 2006 19:21:54 -0000 1.17
@@ -60,6 +60,34 @@
/* AES ciphers.*/
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
+#ifdef NSS_ENABLE_ECC
+ /* ECC ciphers.*/
+ {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS},
+ {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS},
+ {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
+ {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
+ {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS},
+ {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
+ {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
+ {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
+ {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS},
+ {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS},
+ {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
+ {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
+ {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS},
+ {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS},
+ {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
+ {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
+ {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS},
+ {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS},
+ {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS},
+ {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS},
+#endif
};
static char *version_components[] = {
@@ -722,7 +750,11 @@
apr_pool_t *ptemp,
modnss_ctx_t *mctx)
{
- if (mctx->servercert != NULL || mctx->serverkey != NULL) {
+#ifdef NSS_ENABLE_ECC
+ if (mctx->servercert != NULL || mctx->eccservercert != NULL) {
+#else
+ if (mctx->servercert != NULL) {
+#endif
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Illegal attempt to re-initialise SSL for server "
"(theoretically shouldn't happen!)");
@@ -749,58 +781,50 @@
nss_init_ctx_cipher_suite(s, p, ptemp, mctx);
}
-static void nss_init_server_certs(server_rec *s,
- apr_pool_t *p,
- apr_pool_t *ptemp,
- modnss_ctx_t *mctx)
+static void nss_init_certificate(server_rec *s, const char *nickname,
+ CERTCertificate **servercert,
+ SECKEYPrivateKey **serverkey,
+ SSLKEAType *KEAtype,
+ PRFileDesc *model,
+ int enforce)
{
SECCertTimeValidity certtimestatus;
SECStatus secstatus;
PK11SlotInfo* slot = NULL;
-
- /*
- * Get own certificate and private key.
- */
- if (mctx->nickname == NULL && mctx->as_server) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "No certificate nickname provided.");
- nss_die();
+ if (nickname == NULL) {
+ return;
}
- if (mctx->nickname != NULL) {
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Using nickname %s.", mctx->nickname);
- mctx->servercert = FindServerCertFromNickname(mctx->nickname);
- }
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Using nickname %s.", nickname);
+
+ *servercert = FindServerCertFromNickname(nickname);
/* Verify the certificate chain. */
- if (mctx->servercert != NULL && mctx->as_server) {
+ if (*servercert != NULL) {
SECCertificateUsage usage = certificateUsageSSLServer;
- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), mctx->servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
+ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Certificate not verified: '%s'", mctx->nickname);
+ "Certificate not verified: '%s'", nickname);
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
- if (mctx->enforce) {
+ if (enforce) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", mctx->nickname);
+ "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
nss_die();
}
}
- }
-
- if (NULL == mctx->servercert && mctx->as_server)
- {
+ } else {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Certificate not found: '%s'", mctx->nickname);
+ "Certificate not found: '%s'", nickname);
nss_die();
}
- if (mctx->nickname && strchr(mctx->nickname, ':'))
+ if (strchr(nickname, ':'))
{
- char* token = strdup(mctx->nickname);
+ char* token = strdup(nickname);
char* colon = strchr(token, ':');
if (colon) {
*colon = 0;
@@ -822,21 +846,19 @@
else {
slot = PK11_GetInternalKeySlot();
}
-
- if (mctx->servercert) {
- mctx->serverkey = PK11_FindPrivateKeyFromCert(slot, mctx->servercert, NULL);
- }
+
+ *serverkey = PK11_FindPrivateKeyFromCert(slot, *servercert, NULL);
+
PK11_FreeSlot(slot);
- if (mctx->as_server && mctx->serverkey == NULL) {
+ if (*serverkey == NULL) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Key not found for: '%s'", mctx->nickname);
+ "Key not found for: '%s'", nickname);
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
- if (mctx->as_server) {
- mctx->serverKEAType = NSS_FindCertKEAType(mctx->servercert);
+ *KEAtype = NSS_FindCertKEAType(*servercert);
/*
* Check for certs that are expired or not yet valid and WARN about it
@@ -846,7 +868,7 @@
* for every virtual server - too expensive?
*/
- certtimestatus = CERT_CheckCertValidTimes(mctx->servercert, PR_Now(), PR_FALSE);
+ certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE);
switch (certtimestatus)
{
case secCertTimeValid:
@@ -854,35 +876,69 @@
break;
case secCertTimeExpired:
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Server certificate is expired: '%s'", mctx->nickname);
+ "Server certificate is expired: '%s'", nickname);
break;
case secCertTimeNotValidYet:
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Certificate is not valid yet '%s'", mctx->nickname);
+ "Certificate is not valid yet '%s'", nickname);
default:
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Unhandled Certificate time type %d for: '%s'", certtimestatus, mctx->nickname);
+ "Unhandled Certificate time type %d for: '%s'", certtimestatus, nickname);
break;
}
- }
- secstatus = (SECStatus)SSL_SetPKCS11PinArg(mctx->model, NULL);
+ secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype);
if (secstatus != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Error setting PKCS11 pin argument: '%s'", mctx->nickname);
+ "SSL error configuring server: '%s'", nickname);
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
-
+}
+
+
+static void nss_init_server_certs(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+ modnss_ctx_t *mctx)
+{
+ SECCertTimeValidity certtimestatus;
+ SECStatus secstatus;
+
+ PK11SlotInfo* slot = NULL;
+
+ /*
+ * Get own certificate and private key.
+ */
if (mctx->as_server) {
- secstatus = SSL_ConfigSecureServer(mctx->model, mctx->servercert, mctx->serverkey, mctx->serverKEAType);
- if (secstatus != SECSuccess) {
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "SSL error configuring server: '%s'", mctx->nickname);
- nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+#ifdef NSS_ENABLE_ECC
+ if (mctx->nickname == NULL && mctx->eccnickname == NULL)
+#else
+ if (mctx->nickname == NULL)
+#endif
+ {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "No certificate nickname provided.");
nss_die();
}
+
+ nss_init_certificate(s, mctx->nickname, &mctx->servercert,
+ &mctx->serverkey, &mctx->serverKEAType,
+ mctx->model, mctx->enforce);
+#ifdef NSS_ENABLE_ECC
+ nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
+ &mctx->eccserverkey, &mctx->eccserverKEAType,
+ mctx->model, mctx->enforce);
+#endif
}
+ secstatus = (SECStatus)SSL_SetPKCS11PinArg(mctx->model, NULL);
+ if (secstatus != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Error setting PKCS11 pin argument: '%s'", mctx->nickname);
+ nss_die();
+ }
+
secstatus = (SECStatus)SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback)NSSHandshakeCallback, NULL);
if (secstatus != SECSuccess)
{
@@ -958,8 +1014,16 @@
sc = mySrvConfig(s);
if (sc->enabled) {
- CERT_DestroyCertificate(sc->server->servercert);
- SECKEY_DestroyPrivateKey(sc->server->serverkey);
+ if (sc->server->nickname) {
+ CERT_DestroyCertificate(sc->server->servercert);
+ SECKEY_DestroyPrivateKey(sc->server->serverkey);
+ }
+#ifdef NSS_ENABLE_ECC
+ if (sc->server->eccnickname) {
+ CERT_DestroyCertificate(sc->server->eccservercert);
+ SECKEY_DestroyPrivateKey(sc->server->eccserverkey);
+ }
+#endif
/* Closing this implicitly cleans up the copy of the certificates
* and keys associated with any SSL socket */
Index: nss_engine_io.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_io.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- nss_engine_io.c 29 Sep 2005 19:36:10 -0000 1.4
+++ nss_engine_io.c 2 Mar 2006 19:21:54 -0000 1.5
@@ -652,7 +652,7 @@
conn_rec *c = filter_ctx->c;
SSLConnRec *sslconn = myConnConfig(c);
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, c->base_server,
"SSL connection destroyed without being closed");
PR_Close(sslconn->ssl);
@@ -859,7 +859,7 @@
filter_ctx->nobuffer = 1;
status = nss_filter_io_shutdown(filter_ctx, f->c, 0);
if (status != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_INFO, status, NULL,
+ ap_log_error(APLOG_MARK, APLOG_INFO, status, f->c->base_server,
"SSL filter error shutting down I/O");
}
if ((status = ap_pass_brigade(f->next, bb)) != APR_SUCCESS) {
Index: nss_engine_kernel.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_kernel.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- nss_engine_kernel.c 31 May 2005 14:32:42 -0000 1.3
+++ nss_engine_kernel.c 2 Mar 2006 19:21:54 -0000 1.4
@@ -446,6 +446,9 @@
"Performing full renegotiation: "
"complete handshake protocol");
+ /* Do NOT call SSL_ResetHandshake as this will tear down the
+ * existing connection.
+ */
if (SSL_HandshakeCallback(ssl, HandshakeDone, (void *)&handshake_done) || SSL_ReHandshake(ssl, PR_TRUE)) {
int errCode = PR_GetError();
if (errCode == SEC_ERROR_INVALID_ARGS) {
@@ -461,7 +464,7 @@
return HTTP_FORBIDDEN;
}
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Awaiting re-negotiation handshake");
while (!handshake_done) {
@@ -500,7 +503,9 @@
"Re-negotiation handshake failed: "
"Not accepted by client!?");
+#if 0
r->connection->aborted = 1;
+#endif
return HTTP_FORBIDDEN;
}
}
@@ -724,6 +729,7 @@
"SSL_VERSION_LIBRARY",
"SSL_PROTOCOL",
"SSL_CIPHER",
+ "SSL_CIPHER_NAME",
"SSL_CIPHER_EXPORT",
"SSL_CIPHER_USEKEYSIZE",
"SSL_CIPHER_ALGKEYSIZE",
Index: nss_engine_vars.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_vars.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- nss_engine_vars.c 4 Jan 2006 22:07:58 -0000 1.4
+++ nss_engine_vars.c 2 Mar 2006 19:21:54 -0000 1.5
@@ -363,10 +363,10 @@
if (SSL_GetCipherSuiteInfo(channel.cipherSuite,
&suite, sizeof suite) == SECSuccess)
{
- result = apr_psprintf(p, "%s", suite.keaTypeName);
+ result = apr_psprintf(p, "%s_%s", suite.keaTypeName, suite.authAlgorithmName);
}
} else
- result = apr_pstrdup(p, "UNKNOWN");
+ result = apr_pstrdup(p, "UNKNOWN_UNKNOWN");
resdup = FALSE;
}
@@ -582,6 +582,25 @@
result = apr_psprintf(p, "%d", keySize);
resdup = FALSE;
}
+ else if (strcEQ(var, "_NAME")) {
+ SSLChannelInfo channel;
+ SSLCipherSuiteInfo suite;
+ SSLConnRec *sslconn = myConnConfig(c);
+
+ if (SSL_GetChannelInfo(sslconn->ssl, &channel, sizeof channel) ==
+ SECSuccess && channel.length == sizeof channel &&
+ channel.cipherSuite)
+ {
+ if (SSL_GetCipherSuiteInfo(channel.cipherSuite,
+ &suite, sizeof suite) == SECSuccess)
+ {
+ result = apr_psprintf(p, "%s", suite.cipherSuiteName);
+ }
+ } else
+ result = apr_pstrdup(p, "UNKNOWN");
+
+ resdup = FALSE;
+ }
if (result != NULL && resdup)
result = apr_pstrdup(p, result);
More information about the Fedora-directory-commits
mailing list