From 2cf92a1894b64a0dfb5120b712c09a20e21bd44c Mon Sep 17 00:00:00 2001
From: Markus Makela <markus.makela@mariadb.com>
Date: Thu, 11 Jun 2015 13:22:18 +0300
Subject: [PATCH] Added RSA key generator.

---
 server/core/service.c | 72 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 67 insertions(+), 5 deletions(-)

diff --git a/server/core/service.c b/server/core/service.c
index 826c79e66..fbffd27bd 100644
--- a/server/core/service.c
+++ b/server/core/service.c
@@ -69,6 +69,9 @@ extern int            lm_enabled_logfiles_bitmask;
 extern size_t         log_ses_count[];
 extern __thread log_info_t tls_log_info;
 
+static RSA *rsa_512 = NULL;
+static RSA *rsa_1024 = NULL;
+
 /** To be used with configuration type checks */
 typedef struct typelib_st {
 	int          tl_nelems;
@@ -418,6 +421,17 @@ serviceStart(SERVICE *service)
 SERV_PROTOCOL	*port;
 int		listeners = 0;
 
+if(service->ssl_mode != SSL_DISABLED)
+{
+    if(serviceInitSSL(service) != 0)
+    {
+	LOGIF(LE, (skygw_log_write_flush(LOGFILE_ERROR,
+			"%s: SSL initialization failed. Service not started.",
+				service->name)));
+		service->state = SERVICE_STATE_FAILED;
+		return 0;
+    }
+}
 	if ((service->router_instance = service->router->createInstance(service,
 					service->routerOptions)) == NULL)
 	{
@@ -1839,9 +1853,44 @@ int		*data;
 }
 
 
+/**
+ *
+ * @param s
+ * @param is_export
+ * @param keylength
+ * @return
+ */
+ RSA *tmp_rsa_callback(SSL *s, int is_export, int keylength)
+ {
+    RSA *rsa_tmp=NULL;
+
+    switch (keylength) {
+    case 512:
+      if (rsa_512)
+        rsa_tmp = rsa_512;
+      else { /* generate on the fly, should not happen in this example */
+        rsa_tmp = RSA_generate_key(keylength,RSA_F4,NULL,NULL);
+        rsa_512 = rsa_tmp; /* Remember for later reuse */
+      }
+      break;
+    case 1024:
+      if (rsa_1024)
+        rsa_tmp=rsa_1024;
+      break;
+    default:
+      /* Generating a key on the fly is very costly, so use what is there */
+      if (rsa_1024)
+        rsa_tmp=rsa_1024;
+      else
+        rsa_tmp=rsa_512; /* Use at least a shorter key */
+    }
+    return(rsa_tmp);
+ }
+
 int serviceInitSSL(SERVICE* service)
 {
     DH* dh;
+    RSA* rsa;
 
     if(!service->ssl_init_done)
     {
@@ -1878,12 +1927,21 @@ int serviceInitSSL(SERVICE* service)
 
 	service->ctx = SSL_CTX_new(service->method);
 
-	/** Enable the Diffie-Hellman algorithms */
-	if((dh = ssl_get_dh2236()) != NULL)
+	if(rsa_512 == NULL)
 	{
-	    SSL_CTX_set_tmp_dh(service->ctx,dh);
-	    DH_free(dh);
+	    rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL);
+	    if (rsa_512 == NULL)
+		skygw_log_write(LE,"Error: 512-bit RSA key generation failed.");
 	}
+	if(rsa_1024 == NULL)
+	{
+	    rsa_1024 = RSA_generate_key(1024,RSA_F4,NULL,NULL);
+	    if (rsa_1024 == NULL)
+     		skygw_log_write(LE,"Error: 1024-bit RSA key generation failed.");
+	}
+
+	if(rsa_512 != NULL && rsa_1024 != NULL)
+	    SSL_CTX_set_tmp_rsa_callback(service->ctx,tmp_rsa_callback);
 
 	if (SSL_CTX_use_certificate_file(service->ctx, service->ssl_cert, SSL_FILETYPE_PEM) <= 0) {
 	    skygw_log_write(LE,"Error: Failed to set server SSL certificate.");
@@ -1919,6 +1977,10 @@ int serviceInitSSL(SERVICE* service)
     return 0;
 }
 
+/**
+ * Generated by OpenSSL.
+ * @return
+ */
 DH *ssl_get_dh2236()
 {
     static unsigned char dh2236_p[]={
@@ -1958,4 +2020,4 @@ DH *ssl_get_dh2236()
     if ((dh->p == NULL) || (dh->g == NULL))
     { DH_free(dh); return(NULL); }
     return(dh);
-}
\ No newline at end of file
+}