/* * Generate an empheral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the * common key sizes. * * Since few sites will bother to precompute these parameter * files, we also provide a fallback to the parameters provided * by the OpenSSL project. * * These values can be static (once loaded or computed) since * the OpenSSL library can efficiently generate random keys from * the information provided. */ static DH * tmp_dh_cb(SSL *s, int is_export, int keylength) { DH *r = NULL; static DH *dh = NULL; static DH *dh512 = NULL; static DH *dh1024 = NULL; static DH *dh2048 = NULL; static DH *dh4096 = NULL; switch (keylength) { case 512: if (dh512 == NULL) dh512 = load_dh_file(keylength); if (dh512 == NULL) dh512 = load_dh_buffer(file_dh512, sizeof file_dh512); r = dh512; break; case 1024: if (dh1024 == NULL) dh1024 = load_dh_file(keylength); if (dh1024 == NULL) dh1024 = load_dh_buffer(file_dh1024, sizeof file_dh1024); r = dh1024; break; case 2048: if (dh2048 == NULL) dh2048 = load_dh_file(keylength); if (dh2048 == NULL) dh2048 = load_dh_buffer(file_dh2048, sizeof file_dh2048); r = dh2048; break; case 4096: if (dh4096 == NULL) dh4096 = load_dh_file(keylength); if (dh4096 == NULL) dh4096 = load_dh_buffer(file_dh4096, sizeof file_dh4096); r = dh4096; break; default: if (dh == NULL) dh = load_dh_file(keylength); r = dh; } /* this may take a long time, but it may be necessary... */ if (r == NULL || 8 * DH_size(r) < keylength) r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); return r; }
/* * Set DH parameters for generating ephemeral DH keys. The * DH parameters can take a long time to compute, so they must be * precomputed. * * Since few sites will bother to create a parameter file, we also * provide a fallback to the parameters provided by the OpenSSL * project. * * These values can be static (once loaded or computed) since the * OpenSSL library can efficiently generate random keys from the * information provided. */ static bool initialize_dh(SSL_CTX *context, bool isServerStart) { DH *dh = NULL; SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE); if (ssl_dh_params_file[0]) dh = load_dh_file(ssl_dh_params_file, isServerStart); if (!dh) dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048)); if (!dh) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), (errmsg("DH: could not load DH parameters")))); return false; } if (SSL_CTX_set_tmp_dh(context, dh) != 1) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), (errmsg("DH: could not set DH parameters: %s", SSLerrmessage(ERR_get_error()))))); return false; } return true; }
static DH *dh_auto_cb(SSL *s, int is_export, int keylength) { EVP_PKEY *pk; int bits; pk = SSL_get_privatekey(s); if (!pk) return load_dh_buffer(&dh2048, file_dh2048); bits = EVP_PKEY_bits(pk); if (bits >= 3072) return load_dh_buffer(&dh4096, file_dh4096); if (bits >= 1536) return load_dh_buffer(&dh2048, file_dh2048); return load_dh_buffer(&dh1024, file_dh1024); }
static DH *dh_legacy_cb(SSL *s, int is_export, int keylength) { return load_dh_buffer(&dh1024, file_dh1024); }