www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

cleanup tmp key callbacks. each had assigned the same (1024 bit) value

Browse Source 
in 3 different places.  the old code did nothing special in the case
of the export flag either.

add an ssl_log in each to trace when keys are being handed out.

add some XXX comments.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93885 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Doug MacEachern
2002-03-12 23:42:53 +00:00
parent 53d837b39b
commit 63e70cd522
1 changed files with 39 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
modules/ssl/ssl_engine_kernel.c
View File

@@ -1213,65 +1213,66 @@ int ssl_hook_Fixup(request_rec *r)
* | Whenever a new key is completed, the existing temporary key can be * | Whenever a new key is completed, the existing temporary key can be
* | replaced with the new one. * | replaced with the new one.
* *
* XXX: base on comment above, if thread support is enabled,
* we should spawn a low-priority thread to generate new keys
* on the fly.
*
* So we generated 512 and 1024 bit temporary keys on startup * So we generated 512 and 1024 bit temporary keys on startup
* which we now just handle out on demand.... * which we now just hand out on demand....
*/ */
RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen) RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen)
{ {
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
SSLModConfigRec *mc = myModConfig(c->base_server); SSLModConfigRec *mc = myModConfig(c->base_server);
RSA *rsa = NULL; int idx;
if (export) { ssl_log(c->base_server, SSL_LOG_TRACE,
/* It's because an export cipher is used */ "handing out temporary %d bit RSA key", keylen);
if (keylen == 512) {
rsa = (RSA *)mc->pTmpKeys[SSL_TMP_KEY_RSA_512]; /* doesn't matter if export flag is on,
} * we won't be asked for keylen > 512 in that case.
else if (keylen == 1024) { * if we are asked for a keylen > 1024, it is too expensive
rsa = (RSA *)mc->pTmpKeys[SSL_TMP_KEY_RSA_1024]; * to generate on the fly.
} * XXX: any reason not to generate 2048 bit keys at startup?
else { */
/* it's too expensive to generate on-the-fly, so keep 1024bit */
rsa = (RSA *)mc->pTmpKeys[SSL_TMP_KEY_RSA_1024]; switch (keylen) {
} case 512:
} idx = SSL_TMP_KEY_RSA_512;
else { break;
/* It's because a sign-only certificate situation exists */
rsa = (RSA *)mc->pTmpKeys[SSL_TMP_KEY_RSA_1024]; case 1024:
default:
idx = SSL_TMP_KEY_RSA_1024;
} }
return rsa; return (RSA *)mc->pTmpKeys[idx];
} }
/* /*
* Handle out the already generated DH parameters... * Hand out the already generated DH parameters...
*/ */
DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
{ {
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
SSLModConfigRec *mc = myModConfig(c->base_server); SSLModConfigRec *mc = myModConfig(c->base_server);
DH *dh = NULL; int idx;
if (export) { ssl_log(c->base_server, SSL_LOG_TRACE,
/* It's because an export cipher is used */ "handing out temporary %d bit DH key", keylen);
if (keylen == 512) {
dh = (DH *)mc->pTmpKeys[SSL_TMP_KEY_DH_512]; switch (keylen) {
} case 512:
else if (keylen == 1024) { idx = SSL_TMP_KEY_DH_512;
dh = (DH *)mc->pTmpKeys[SSL_TMP_KEY_DH_1024]; break;
}
else { case 1024:
/* it's too expensive to generate on-the-fly, so keep 1024bit */ default:
dh = (DH *)mc->pTmpKeys[SSL_TMP_KEY_DH_1024]; idx = SSL_TMP_KEY_DH_1024;
}
}
else {
/* It's because a sign-only certificate situation exists */
dh = (DH *)mc->pTmpKeys[SSL_TMP_KEY_DH_1024];
} }
return dh; return (DH *)mc->pTmpKeys[idx];
} }
/* /*