Postfix3.3.1
tls_rsa.c
[詳解]
1 /*++
2 /* NAME
3 /* tls_rsa
4 /* SUMMARY
5 /* RSA support
6 /* SYNOPSIS
7 /* #define TLS_INTERNAL
8 /* #include <tls.h>
9 /*
10 /* RSA *tls_tmp_rsa_cb(ssl, export, keylength)
11 /* SSL *ssl; /* unused */
12 /* int export;
13 /* int keylength;
14 /* DESCRIPTION
15 /* tls_tmp_rsa_cb() is a call-back routine for the
16 /* SSL_CTX_set_tmp_rsa_callback() function.
17 /*
18 /* This implementation will generate only 512-bit ephemeral
19 /* RSA keys for export ciphersuites. It will log a warning in
20 /* all other usage contexts.
21 /* LICENSE
22 /* .ad
23 /* .fi
24 /* This software is free. You can do with it whatever you want.
25 /* The original author kindly requests that you acknowledge
26 /* the use of his software.
27 /* AUTHOR(S)
28 /* Originally written by:
29 /* Lutz Jaenicke
30 /* BTU Cottbus
31 /* Allgemeine Elektrotechnik
32 /* Universitaetsplatz 3-4
33 /* D-03044 Cottbus, Germany
34 /*
35 /* Updated by:
36 /* Wietse Venema
37 /* IBM T.J. Watson Research
38 /* P.O. Box 704
39 /* Yorktown Heights, NY 10598, USA
40 /*
41 /* Viktor Dukhovni.
42 /*--*/
43 
44 /* System library. */
45 
46 #include <sys_defs.h>
47 #include <msg.h>
48 
49 #ifdef USE_TLS
50 
51 /* TLS library. */
52 
53 #define TLS_INTERNAL
54 #include <tls.h>
55 #include <openssl/rsa.h>
56 
57  /*
58  * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
59  */
60 #if OPENSSL_VERSION_NUMBER < 0x10100000L
61 
62 /* tls_tmp_rsa_cb - call-back to generate ephemeral RSA key */
63 
64 RSA *tls_tmp_rsa_cb(SSL *unused_ssl, int export, int keylength)
65 {
66  static RSA *rsa_tmp;
67 
68  /*
69  * We generate ephemeral RSA keys only for export ciphersuites. In all
70  * other contexts use of ephemeral RSA keys violates the SSL/TLS
71  * protocol, and only takes place when applications ask for trouble and
72  * set the SSL_OP_EPHEMERAL_RSA option. Postfix should never do that.
73  */
74  if (!export || keylength != 512) {
75  msg_warn("%sexport %d-bit ephemeral RSA key requested",
76  export ? "" : "non-", keylength);
77  return 0;
78  }
79 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
80  if (rsa_tmp == 0) {
81  BIGNUM *e = BN_new();
82 
83  if (e != 0 && BN_set_word(e, RSA_F4) && (rsa_tmp = RSA_new()) != 0)
84  if (!RSA_generate_key_ex(rsa_tmp, keylength, e, 0)) {
85  RSA_free(rsa_tmp);
86  rsa_tmp = 0;
87  }
88  if (e)
89  BN_free(e);
90  }
91 #else
92  if (rsa_tmp == 0)
93  rsa_tmp = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
94 #endif
95 
96  return (rsa_tmp);
97 }
98 
99 #endif /* OPENSSL_VERSION_NUMBER */
100 
101 #ifdef TEST
102 
103 #include <msg_vstream.h>
104 
105 int main(int unused_argc, char *const argv[])
106 {
107  int ok = 0;
108 
109  /*
110  * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
111  */
112 #if OPENSSL_VERSION_NUMBER < 0x10100000L
113  RSA *rsa;
114 
115  msg_vstream_init(argv[0], VSTREAM_ERR);
116 
117  /* Export at 512-bits should work */
118  rsa = tls_tmp_rsa_cb(0, 1, 512);
119  ok = rsa != 0 && RSA_size(rsa) == 512 / 8;
120  ok = ok && PEM_write_RSAPrivateKey(stdout, rsa, 0, 0, 0, 0, 0);
121  tls_print_errors();
122 
123  /* Non-export or unexpected bit length should fail */
124  ok = ok && tls_tmp_rsa_cb(0, 0, 512) == 0;
125  ok = ok && tls_tmp_rsa_cb(0, 1, 1024) == 0;
126 #endif
127 
128  return ok ? 0 : 1;
129 }
130 
131 #endif
132 
133 #endif
msg_vstream.h
main
int main(int argc, char **argv)
Definition: anvil.c:1010
msg_warn
void msg_warn(const char *fmt,...)
Definition: msg.c:215
sys_defs.h
msg_vstream_init
void msg_vstream_init(const char *name, VSTREAM *vp)
Definition: msg_vstream.c:77
VSTREAM_ERR
#define VSTREAM_ERR
Definition: vstream.h:68
2018年11月10日(土) 18時59分47秒作成 - Postfix3.3.1 / 構成:   doxygen 1.8.9.1