Add support for ECC certificates

Fixes: #116

src/hitch.c

@@ -928,24 +928,24 @@ create_shcupd_socket()
 
 #endif /*USE_SHARED_CACHE */
 
-RSA *
-load_rsa_privatekey(SSL_CTX *ctx, const char *file)
+EVP_PKEY *
+load_privatekey(SSL_CTX *ctx, const char *file)
 {
 	BIO *bio;
-	RSA *rsa;
+	EVP_PKEY *pkey;
 
 	bio = BIO_new_file(file, "r");
 	if (!bio) {
 		log_ssl_error(NULL, "{core} BIO_new_file");
 		return NULL;
 	}
 
-	rsa = PEM_read_bio_RSAPrivateKey(bio, NULL,
+	pkey = PEM_read_bio_PrivateKey(bio, NULL,
 	    ctx->default_passwd_callback,
 	    ctx->default_passwd_callback_userdata);
 	BIO_free(bio);
 
-	return rsa;
+	return (pkey);
 }
 
 #ifndef OPENSSL_NO_TLSEXT
@@ -1367,7 +1367,7 @@ make_ctx_fr(const struct cfg_cert_file *cf, const struct frontend *fr,
 {
 	SSL_CTX *ctx;
 	sslctx *sc;
-	RSA *rsa;
+	EVP_PKEY *pkey;
 	ENC_TYPE etype = CONFIG->ETYPE;
 	char *ciphers = CONFIG->CIPHER_SUITE;
 	int pref_srv_ciphers = CONFIG->PREFER_SERVER_CIPHERS;
@@ -1433,17 +1433,17 @@ make_ctx_fr(const struct cfg_cert_file *cf, const struct frontend *fr,
 		return (NULL);
 	}
 
-	rsa = load_rsa_privatekey(ctx, cf->filename);
-	if (!rsa) {
-		ERR("Error loading RSA private key (%s)\n", cf->filename);
+	pkey = load_privatekey(ctx, cf->filename);
+	if (!pkey) {
+		ERR("Error loading private key (%s)\n", cf->filename);
 		sctx_free(sc, NULL);
 		return (NULL);
 	}
 
-	if (SSL_CTX_use_RSAPrivateKey(ctx, rsa) <= 0) {
-		log_ssl_error(NULL, "SSL_CTX_use_RSAPrivateKey: %s",
+	if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) {
+		log_ssl_error(NULL, "SSL_CTX_use_PrivateKey: %s",
 		    cf->filename);
-		RSA_free(rsa);
+		EVP_PKEY_free(pkey);
 		sctx_free(sc, NULL);
 		return (NULL);
 	}
@@ -1463,7 +1463,7 @@ make_ctx_fr(const struct cfg_cert_file *cf, const struct frontend *fr,
 	}
 
 	if (load_cert_ctx(sc) != 0) {
-		RSA_free(rsa);
+		EVP_PKEY_free(pkey);
 		sctx_free(sc, NULL);
 		return (NULL);
 	}
@@ -1482,7 +1482,7 @@ make_ctx_fr(const struct cfg_cert_file *cf, const struct frontend *fr,
 		if (ocsp_init_file(cf->ocspfn, sc, 0) != 0) {
 			ERR("Error loading OCSP response %s for stapling.\n",
 			    cf->ocspfn);
-			RSA_free(rsa);
+			EVP_PKEY_free(pkey);
 			sctx_free(sc, NULL);
 			return (NULL);
 		} else {
@@ -1501,14 +1501,17 @@ make_ctx_fr(const struct cfg_cert_file *cf, const struct frontend *fr,
 	if (CONFIG->SHARED_CACHE) {
 		if (shared_context_init(ctx, CONFIG->SHARED_CACHE) < 0) {
 			ERR("Unable to alloc memory for shared cache.\n");
-			RSA_free(rsa);
+			EVP_PKEY_free(pkey);
 			sctx_free(sc, NULL);
 			return (NULL);
 		}
 		if (CONFIG->SHCUPD_PORT) {
-			if (compute_secret(rsa, shared_secret) < 0) {
+			RSA *rsa;
+			rsa = EVP_PKEY_get1_RSA(pkey);
+			if (rsa != NULL &&
+			    compute_secret(rsa, shared_secret) < 0) {
 				ERR("Unable to compute shared secret.\n");
-				RSA_free(rsa);
+				EVP_PKEY_free(pkey);
 				sctx_free(sc, NULL);
 				return (NULL);
 			}
@@ -1522,7 +1525,7 @@ make_ctx_fr(const struct cfg_cert_file *cf, const struct frontend *fr,
 		}
 	}
 #endif
-	RSA_free(rsa);
+	EVP_PKEY_free(pkey);
 	return (sc);
 }
 

src/tests/certs/ecc.example.com.pem

@@ -0,0 +1,32 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILGG81gMCCHEFVPCNvmiHyj52I52lN/ZseXOgWeWjdR8oAoGCCqGSM49
+AwEHoUQDQgAEiPp1pDeYnScZ0k8QV55Lqe5GvPjdFdhj+Z78blrVuc6L7H3bKx67
+5Sjpth7SRdcBLj0J3xQbdczXNYT1mGyv0Q==
+-----END EC PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICejCCAh+gAwIBAgIJAJBlb7KNsA6TMAoGCCqGSM49BAMCMIGYMQswCQYDVQQG
+EwJOTzEMMAoGA1UECAwDRm9vMQwwCgYDVQQHDANiYXIxITAfBgNVBAoMGEludGVy
+bmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UECwwLZXhhbXBsZS5jb20xGDAWBgNV
+BAMMD2VjYy5leGFtcGxlLmNvbTEaMBgGCSqGSIb3DQEJARYLZm9vQGJhci5iYXow
+HhcNMTYwOTA4MTIyNjAwWhcNMTcwOTA4MTIyNjAwWjCBmDELMAkGA1UEBhMCTk8x
+DDAKBgNVBAgMA0ZvbzEMMAoGA1UEBwwDYmFyMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxFDASBgNVBAsMC2V4YW1wbGUuY29tMRgwFgYDVQQDDA9l
+Y2MuZXhhbXBsZS5jb20xGjAYBgkqhkiG9w0BCQEWC2Zvb0BiYXIuYmF6MFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEiPp1pDeYnScZ0k8QV55Lqe5GvPjdFdhj+Z78
+blrVuc6L7H3bKx675Sjpth7SRdcBLj0J3xQbdczXNYT1mGyv0aNQME4wHQYDVR0O
+BBYEFEFiYs25LVpgAaFAiht+hAVuhm+VMB8GA1UdIwQYMBaAFEFiYs25LVpgAaFA
+iht+hAVuhm+VMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMPtYL6C
+IpjW9xra2sCehyHe/exVqzyrbrToMcCagAWvAiEA7HXMTHVAkv5YdKEijhGuHyoZ
+jrQFNBRbZE+jZmVgf/o=
+-----END CERTIFICATE-----
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAlaqrlaY8iQGnqIl7Xhvo1zGIq7i8ectN+WVfStKgCzbUYdTpQXYQ
+H2KxqQpbMHVfFZerrqIwn6/ZAZKVLZFsKYeThrCI/2wNzeRp0L8AVRZ9poibGxVD
+MQe4jHY+PQ7t6dkiM33rsadOjo/BGlHZgeQo3qgzyZEJgvafu+xroVQadVXqAWqx
+sAJ3nWj9oCIcTvOBmGH77jENp4mmM4qr0CaGGPbOAz2k9jmn/+ZyWCSqwqeO0bff
+b/+JwL5iu86mgWewaZj5mz4iGFVgrIwbC+8e2KTFa2Lg16ZGVUyt6jje/3fw1Ovy
+l6qilDnsHm9LkiNXx9QPTravWelxgVkbkwIBAg==
+-----END DH PARAMETERS-----

src/tests/test17-ecc-certs.sh

@@ -0,0 +1,15 @@
+#/bin/sh
+# Test loading an ECC certificate
+. ${TESTDIR}common.sh
+set +o errexit
+
+hitch $HITCH_ARGS --backend=[hitch-tls.org]:80 "--frontend=[${LISTENADDR}]:$LISTENPORT" ${CERTSDIR}/ecc.example.com.pem
+test "$?" = "0" || die "Hitch did not start."
+
+echo -e "\n" | openssl s_client -prexit -connect $LISTENADDR:$LISTENPORT >$DUMPFILE 2>&1
+test "$?" = "0" || die "s_client failed"
+
+grep -q -c "CN=ecc.example.com" $DUMPFILE
+test "$?" = "0" || die "Got wrong certificate."
+
+runcurl $LISTENADDR $LISTENPORT