hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added RSA key generator.

Browse Source
This commit is contained in:
Markus Makela
2015-06-11 13:22:18 +03:00
parent bb427128a9
commit 2cf92a1894
1 changed files with 67 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
server/core/service.c
View File

@ -69,6 +69,9 @@ extern int lm_enabled_logfiles_bitmask;
extern size_t log_ses_count[]; extern size_t log_ses_count[];
extern __thread log_info_t tls_log_info; extern __thread log_info_t tls_log_info;
static RSA *rsa_512 = NULL;
static RSA *rsa_1024 = NULL;
/** To be used with configuration type checks */ /** To be used with configuration type checks */
typedef struct typelib_st { typedef struct typelib_st {
int tl_nelems; int tl_nelems;
@ -418,6 +421,17 @@ serviceStart(SERVICE *service)
SERV_PROTOCOL *port; SERV_PROTOCOL *port;
int listeners = 0; int listeners = 0;
if(service->ssl_mode != SSL_DISABLED)
{
if(serviceInitSSL(service) != 0)
{
LOGIF(LE, (skygw_log_write_flush(LOGFILE_ERROR,
"%s: SSL initialization failed. Service not started.",
service->name)));
service->state = SERVICE_STATE_FAILED;
return 0;
}
}
if ((service->router_instance = service->router->createInstance(service, if ((service->router_instance = service->router->createInstance(service,
service->routerOptions)) == NULL) service->routerOptions)) == NULL)
{ {
@ -1839,9 +1853,44 @@ int *data;
} }
/**
*
* @param s
* @param is_export
* @param keylength
* @return
*/
RSA *tmp_rsa_callback(SSL *s, int is_export, int keylength)
{
RSA *rsa_tmp=NULL;
switch (keylength) {
case 512:
if (rsa_512)
rsa_tmp = rsa_512;
else { /* generate on the fly, should not happen in this example */
rsa_tmp = RSA_generate_key(keylength,RSA_F4,NULL,NULL);
rsa_512 = rsa_tmp; /* Remember for later reuse */
}
break;
case 1024:
if (rsa_1024)
rsa_tmp=rsa_1024;
break;
default:
/* Generating a key on the fly is very costly, so use what is there */
if (rsa_1024)
rsa_tmp=rsa_1024;
else
rsa_tmp=rsa_512; /* Use at least a shorter key */
}
return(rsa_tmp);
}
int serviceInitSSL(SERVICE* service) int serviceInitSSL(SERVICE* service)
{ {
DH* dh; DH* dh;
RSA* rsa;
if(!service->ssl_init_done) if(!service->ssl_init_done)
{ {
@ -1878,12 +1927,21 @@ int serviceInitSSL(SERVICE* service)
service->ctx = SSL_CTX_new(service->method); service->ctx = SSL_CTX_new(service->method);
/** Enable the Diffie-Hellman algorithms */ if(rsa_512 == NULL)
if((dh = ssl_get_dh2236()) != NULL)
{ {
SSL_CTX_set_tmp_dh(service->ctx,dh); rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL);
DH_free(dh); if (rsa_512 == NULL)
skygw_log_write(LE,"Error: 512-bit RSA key generation failed.");
} }
if(rsa_1024 == NULL)
{
rsa_1024 = RSA_generate_key(1024,RSA_F4,NULL,NULL);
if (rsa_1024 == NULL)
skygw_log_write(LE,"Error: 1024-bit RSA key generation failed.");
}
if(rsa_512 != NULL && rsa_1024 != NULL)
SSL_CTX_set_tmp_rsa_callback(service->ctx,tmp_rsa_callback);
if (SSL_CTX_use_certificate_file(service->ctx, service->ssl_cert, SSL_FILETYPE_PEM) <= 0) { if (SSL_CTX_use_certificate_file(service->ctx, service->ssl_cert, SSL_FILETYPE_PEM) <= 0) {
skygw_log_write(LE,"Error: Failed to set server SSL certificate."); skygw_log_write(LE,"Error: Failed to set server SSL certificate.");
@ -1919,6 +1977,10 @@ int serviceInitSSL(SERVICE* service)
return 0; return 0;
} }
/**
* Generated by OpenSSL.
* @return
*/
DH *ssl_get_dh2236() DH *ssl_get_dh2236()
{ {
static unsigned char dh2236_p[]={ static unsigned char dh2236_p[]={