Add ecc option for apache 2.2.x backport of ECC support

https://issues.apache.org/bugzilla/show_bug.cgi?id=40132

2 files changed, 317 insertions, 2 deletions

diff --git a/www/apache22/files/ecc2224.patch b/www/apache22/files/ecc2224.patch
new file mode 100644
index 00000000000..654952f4c2c
--- /dev/null
+++ b/www/apache22/files/ecc2224.patch
@@ -0,0 +1,307 @@
+Backport of ECC support 
+https://issues.apache.org/bugzilla/show_bug.cgi?id=40132
+
+--- ./docs/conf/extra/httpd-ssl.conf.in.orig	2012-01-04 21:10:40.000000000 +0100
++++ ./docs/conf/extra/httpd-ssl.conf.in	2013-09-07 05:44:49.000000000 +0200
+@@ -91,8 +91,11 @@
+ 
+ #   SSL Cipher Suite:
+ #   List the ciphers that the client is permitted to negotiate.
+ #   See the mod_ssl documentation for a complete list.
++#   Recent OpenSSL snapshots include Elliptic Curve Cryptograhpy (ECC) 
++#   cipher suites (see RFC 4492) as part of "ALL". Edit this line
++#   if you need to disable any of those ciphers.
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+ 
+ #   Speed-optimized SSL Cipher configuration:
+ #   If speed is your main concern (on busy HTTPS servers e.g.),
+@@ -113,18 +116,24 @@
+ #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
+ #   in mind that if you have both an RSA and a DSA certificate you
+ #   can configure both in parallel (to also allow the use of DSA
+ #   ciphers, etc.)
++#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
++#   require an ECC certificate which can also be configured in
++#   parallel.
+ SSLCertificateFile "@exp_sysconfdir@/server.crt"
+ #SSLCertificateFile "@exp_sysconfdir@/server-dsa.crt"
++#SSLCertificateFile "@exp_sysconfdir@/server-ecc.crt"
+ 
+ #   Server Private Key:
+ #   If the key is not combined with the certificate, use this
+ #   directive to point at the key file.  Keep in mind that if
+ #   you've both a RSA and a DSA private key you can configure
+ #   both in parallel (to also allow the use of DSA ciphers, etc.)
++#   ECC keys, when in use, can also be configured in parallel
+ SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
+ #SSLCertificateKeyFile "@exp_sysconfdir@/server-dsa.key"
++#SSLCertificateKeyFile "@exp_sysconfdir@/server-ecc.key"
+ 
+ #   Server Certificate Chain:
+ #   Point SSLCertificateChainFile at a file containing the
+ #   concatenation of PEM encoded CA certificates which form the
+--- ./modules/ssl/ssl_private.h.orig	2013-02-15 16:50:37.000000000 +0100
++++ ./modules/ssl/ssl_private.h	2013-09-07 05:43:20.000000000 +0200
+@@ -190,13 +190,23 @@
+ 
+ #define SSL_ALGO_UNKNOWN (0)
+ #define SSL_ALGO_RSA     (1<<0)
+ #define SSL_ALGO_DSA     (1<<1)
++#ifndef OPENSSL_NO_EC
++#define SSL_ALGO_ECC     (1<<2)
++#define SSL_ALGO_ALL     (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
++#else
+ #define SSL_ALGO_ALL     (SSL_ALGO_RSA|SSL_ALGO_DSA)
++#endif /* SSL_LIBRARY_VERSION */
+ 
+ #define SSL_AIDX_RSA     (0)
+ #define SSL_AIDX_DSA     (1)
++#ifndef OPENSSL_NO_EC
++#define SSL_AIDX_ECC     (2)
++#define SSL_AIDX_MAX     (3)
++#else
+ #define SSL_AIDX_MAX     (2)
++#endif /* SSL_LIBRARY_VERSION */
+ 
+ 
+ /**
+  * Define IDs for the temporary RSA keys and DH params
+@@ -624,8 +634,11 @@
+ 
+ /**  OpenSSL callbacks */
+ RSA         *ssl_callback_TmpRSA(SSL *, int, int);
+ DH          *ssl_callback_TmpDH(SSL *, int, int);
++#ifndef OPENSSL_NO_EC
++EC_KEY      *ssl_callback_TmpECDH(SSL *, int, int);
++#endif /* SSL_LIBRARY_VERSION */
+ int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
+ int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
+ int          ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
+ int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
+--- ./modules/ssl/ssl_util.c.orig	2008-09-18 16:34:51.000000000 +0200
++++ ./modules/ssl/ssl_util.c	2013-09-07 05:43:20.000000000 +0200
+@@ -149,8 +149,13 @@
+                 break;
+             case EVP_PKEY_DSA:
+                 t = SSL_ALGO_DSA;
+                 break;
++#ifndef OPENSSL_NO_EC
++            case EVP_PKEY_EC:
++                t = SSL_ALGO_ECC;
++                break;
++#endif 
+             default:
+                 break;
+         }
+     }
+@@ -173,8 +178,13 @@
+             break;
+         case SSL_ALGO_DSA:
+             cp = "DSA";
+             break;
++#ifndef OPENSSL_NO_EC
++        case SSL_ALGO_ECC:
++            cp = "ECC";
++            break;
++#endif
+         default:
+             break;
+     }
+     return cp;
+@@ -244,9 +254,13 @@
+ 
+     apr_hash_set(table, key, klen, NULL);
+ }
+ 
++#ifndef OPENSSL_NO_EC
++static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"};
++#else
+ static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};
++#endif
+ 
+ const char *ssl_asn1_keystr(int keytype)
+ {
+     if (keytype >= SSL_AIDX_MAX) {
+--- ./modules/ssl/ssl_engine_init.c.orig	2012-10-07 08:39:16.000000000 +0200
++++ ./modules/ssl/ssl_engine_init.c	2013-09-07 05:43:20.000000000 +0200
+@@ -398,9 +398,13 @@
+     /*
+      *  Check for problematic re-initializations
+      */
+     if (mctx->pks->certs[SSL_AIDX_RSA] ||
+-        mctx->pks->certs[SSL_AIDX_DSA])
++        mctx->pks->certs[SSL_AIDX_DSA]
++#ifndef OPENSSL_NO_EC
++      || mctx->pks->certs[SSL_AIDX_ECC]
++#endif
++        )
+     {
+         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                 "Illegal attempt to re-initialise SSL for server "
+                 "(SSLEngine On should go in the VirtualHost, not in global scope.)");
+@@ -598,8 +602,11 @@
+     SSL_CTX *ctx = mctx->ssl_ctx;
+ 
+     SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
+     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
++#ifndef OPENSSL_NO_EC
++    SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH);
++#endif
+ 
+     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+ }
+ 
+@@ -865,11 +872,18 @@
+     SSLModConfigRec *mc = myModConfig(s);
+     ssl_asn1_t *asn1;
+     MODSSL_D2I_PrivateKey_CONST unsigned char *ptr;
+     const char *type = ssl_asn1_keystr(idx);
+-    int pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
++    int pkey_type;
+     EVP_PKEY *pkey;
+ 
++#ifndef OPENSSL_NO_EC
++    if (idx == SSL_AIDX_ECC)
++      pkey_type = EVP_PKEY_EC;
++    else
++#endif /* SSL_LIBRARY_VERSION */
++    pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
++
+     if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
+         return FALSE;
+     }
+ 
+@@ -977,22 +991,36 @@
+                                   apr_pool_t *p,
+                                   apr_pool_t *ptemp,
+                                   modssl_ctx_t *mctx)
+ {
+-    const char *rsa_id, *dsa_id;
++    const char *rsa_id, *dsa_id, *ecc_id;
+     const char *vhost_id = mctx->sc->vhost_id;
+     int i;
+-    int have_rsa, have_dsa;
++    int have_rsa, have_dsa, have_ecc;
+ 
+     rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
+     dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
++#ifndef OPENSSL_NO_EC
++    ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
++#endif
+ 
+     have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
+     have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
++#ifndef OPENSSL_NO_EC
++    have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
++#endif
+ 
+-    if (!(have_rsa || have_dsa)) {
++    if (!(have_rsa || have_dsa
++#ifndef OPENSSL_NO_EC
++        || have_ecc
++#endif
++)) {
+         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++#ifndef OPENSSL_NO_EC
++                "Oops, no RSA, DSA or ECC server certificate found "
++#else
+                 "Oops, no RSA or DSA server certificate found "
++#endif
+                 "for '%s:%d'?!", s->server_hostname, s->port);
+         ssl_die();
+     }
+ 
+@@ -1001,12 +1029,23 @@
+     }
+ 
+     have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
+     have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
++#if SSL_LIBRARY_VERSION >= 0x00908000
++    have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
++#endif
+ 
+-    if (!(have_rsa || have_dsa)) {
++    if (!(have_rsa || have_dsa
++#if SSL_LIBRARY_VERSION >= 0x00908000
++        || have_ecc
++#endif
++          )) {
+         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++#if SSL_LIBRARY_VERSION >= 0x00908000
++                "Oops, no RSA, DSA or ECC server private key found?!");
++#else
+                 "Oops, no RSA or DSA server private key found?!");
++#endif
+         ssl_die();
+     }
+ }
+ 
+--- ./modules/ssl/ssl_engine_kernel.c.orig	2013-02-15 16:50:37.000000000 +0100
++++ ./modules/ssl/ssl_engine_kernel.c	2013-09-07 05:43:20.000000000 +0200
+@@ -1266,8 +1266,35 @@
+ 
+     return (DH *)mc->pTmpKeys[idx];
+ }
+ 
++#ifndef OPENSSL_NO_EC
++EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen)
++{
++    conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
++    SSLModConfigRec *mc = myModConfig(c->base_server);
++    int idx;
++    static EC_KEY *ecdh = NULL;
++    static init = 0;
++
++    /* XXX Uses 256-bit key for now. TODO: support other sizes. */
++    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++                  "handing out temporary 256 bit ECC key");
++
++    if (init == 0) {
++        ecdh = EC_KEY_new();
++        if (ecdh != NULL) {
++            /* ecdh->group = EC_GROUP_new_by_nid(NID_secp160r2); */
++            EC_KEY_set_group(ecdh, 
++              EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
++        }
++        init = 1;
++    }
++    
++    return ecdh;
++}
++#endif
++
+ /*
+  * This OpenSSL callback function is called when OpenSSL
+  * does client authentication and verifies the certificate chain.
+  */
+--- ./modules/ssl/mod_ssl.c.orig	2012-10-07 08:39:16.000000000 +0200
++++ ./modules/ssl/mod_ssl.c	2013-09-07 05:43:20.000000000 +0200
+@@ -440,8 +440,11 @@
+      *  Configure callbacks for SSL connection
+      */
+     SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
+     SSL_set_tmp_dh_callback(ssl,  ssl_callback_TmpDH);
++#ifndef OPENSSL_NO_EC
++    SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH);
++#endif
+ 
+     SSL_set_verify_result(ssl, X509_V_OK);
+ 
+     ssl_io_filter_init(c, ssl);
+--- ./modules/ssl/ssl_toolkit_compat.h.orig	2012-08-17 19:30:46.000000000 +0200
++++ ./modules/ssl/ssl_toolkit_compat.h	2013-09-07 05:45:26.000000000 +0200
+@@ -37,8 +37,14 @@
+ #include <openssl/crypto.h>
+ #include <openssl/evp.h>
+ #include <openssl/rand.h>
+ #include <openssl/x509v3.h>
++
++/* ECC support came along in OpenSSL 0.9.8 */
++#if (OPENSSL_VERSION_NUMBER < 0x00908000)
++#define OPENSSL_NO_EC
++#endif
++
+ /** Avoid tripping over an engine build installed globally and detected
+  * when the user points at an explicit non-engine flavor of OpenSSL
+  */
+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
diff --git a/www/apache22/options.mk b/www/apache22/options.mk
index 0a6a85af68c..e1b99f76c0d 100644
--- a/www/apache22/options.mk
+++ b/www/apache22/options.mk
@@ -1,9 +1,9 @@
-# $NetBSD: options.mk,v 1.9 2010/11/01 17:28:49 adam Exp $
+# $NetBSD: options.mk,v 1.10 2013/09/08 03:10:14 manu Exp $
 
 PKG_OPTIONS_VAR=		PKG_OPTIONS.apache
 PKG_OPTIONS_REQUIRED_GROUPS=	mpm
 PKG_OPTIONS_GROUP.mpm=		apache-mpm-event apache-mpm-prefork apache-mpm-worker
-PKG_SUPPORTED_OPTIONS=		apache-shared-modules suexec
+PKG_SUPPORTED_OPTIONS=		apache-shared-modules suexec ecc
 PKG_SUGGESTED_OPTIONS=		apache-shared-modules apache-mpm-prefork
 
 .include "../../mk/bsd.options.mk"
@@ -67,3 +67,11 @@ BUILD_TARGET=		all suexec
 PLIST.suexec=		yes
 SPECIAL_PERMS+=		sbin/suexec ${REAL_ROOT_USER} ${APACHE_GROUP} 4510
 .endif
+
+PLIST_VARS+=		ecc
+.if !empty(PKG_OPTIONS:Mecc)
+USE_TOOLS+=     patch
+ECC_PATCH=     ${FILESDIR}/ecc2224.patch
+post-patch:
+	${PATCH} -d ${WRKSRC} --forward --quiet  < ${ECC_PATCH}
+.endif