/*
* Generate an empheral DH key. Because this can take a long
* time to compute, we can use precomputed parameters of the
* common key sizes.
*
* Since few sites will bother to precompute these parameter
* files, we also provide a fallback to the parameters provided
* by the OpenSSL project.
*
* These values can be static (once loaded or computed) since
* the OpenSSL library can efficiently generate random keys from
* the information provided.
*/
static DH *
tmp_dh_cb(SSL *s, int is_export, int keylength)
{
DH *r = NULL;
static DH *dh = NULL;
static DH *dh512 = NULL;
static DH *dh1024 = NULL;
static DH *dh2048 = NULL;
static DH *dh4096 = NULL;
switch (keylength)
{
case 512:
if (dh512 == NULL)
dh512 = load_dh_file(keylength);
if (dh512 == NULL)
dh512 = load_dh_buffer(file_dh512, sizeof file_dh512);
r = dh512;
break;
case 1024:
if (dh1024 == NULL)
dh1024 = load_dh_file(keylength);
if (dh1024 == NULL)
dh1024 = load_dh_buffer(file_dh1024, sizeof file_dh1024);
r = dh1024;
break;
case 2048:
if (dh2048 == NULL)
dh2048 = load_dh_file(keylength);
if (dh2048 == NULL)
dh2048 = load_dh_buffer(file_dh2048, sizeof file_dh2048);
r = dh2048;
break;
case 4096:
if (dh4096 == NULL)
dh4096 = load_dh_file(keylength);
if (dh4096 == NULL)
dh4096 = load_dh_buffer(file_dh4096, sizeof file_dh4096);
r = dh4096;
break;
default:
if (dh == NULL)
dh = load_dh_file(keylength);
r = dh;
}
/* this may take a long time, but it may be necessary... */
if (r == NULL || 8 * DH_size(r) < keylength)
r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
return r;
}
/*
* Set DH parameters for generating ephemeral DH keys. The
* DH parameters can take a long time to compute, so they must be
* precomputed.
*
* Since few sites will bother to create a parameter file, we also
* provide a fallback to the parameters provided by the OpenSSL
* project.
*
* These values can be static (once loaded or computed) since the
* OpenSSL library can efficiently generate random keys from the
* information provided.
*/
static bool
initialize_dh(SSL_CTX *context, bool isServerStart)
{
DH *dh = NULL;
SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
if (ssl_dh_params_file[0])
dh = load_dh_file(ssl_dh_params_file, isServerStart);
if (!dh)
dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
if (!dh)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
(errmsg("DH: could not load DH parameters"))));
return false;
}
if (SSL_CTX_set_tmp_dh(context, dh) != 1)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
(errmsg("DH: could not set DH parameters: %s",
SSLerrmessage(ERR_get_error())))));
return false;
}
return true;
}
static DH *dh_auto_cb(SSL *s, int is_export, int keylength)
{
EVP_PKEY *pk;
int bits;
pk = SSL_get_privatekey(s);
if (!pk)
return load_dh_buffer(&dh2048, file_dh2048);
bits = EVP_PKEY_bits(pk);
if (bits >= 3072)
return load_dh_buffer(&dh4096, file_dh4096);
if (bits >= 1536)
return load_dh_buffer(&dh2048, file_dh2048);
return load_dh_buffer(&dh1024, file_dh1024);
}
static DH *dh_legacy_cb(SSL *s, int is_export, int keylength)
{
return load_dh_buffer(&dh1024, file_dh1024);
}
