From: Viktor Dukhovni <postfix-users@dukhovni.org>
Date: Sun, 6 Dec 2015 23:39:12 +0000 (-0500)
Subject: Bitrot: OpenSSL 1.1.0-dev drops EXPORT ciphers and ephemeral RSA
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84b8f60347b6f39438753922415fc8ae032283ac;p=thirdparty%2Fpostfix.git

Bitrot: OpenSSL 1.1.0-dev drops EXPORT ciphers and ephemeral RSA
---

diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index f50936aac..fb0f87a0c 100644
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -422,12 +422,17 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
 	return (0);
     }
 
+    /*
+     * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+     */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     /*
      * According to the OpenSSL documentation, temporary RSA key is needed
      * export ciphers are in use. We have to provide one, so well, we just do
      * it.
      */
     SSL_CTX_set_tmp_rsa_callback(client_ctx, tls_tmp_rsa_cb);
+#endif
 
     /*
      * Finally, the setup for the server certificate checking, done "by the
diff --git a/postfix/src/tls/tls_rsa.c b/postfix/src/tls/tls_rsa.c
index aba4142d2..77c21548a 100644
--- a/postfix/src/tls/tls_rsa.c
+++ b/postfix/src/tls/tls_rsa.c
@@ -54,6 +54,11 @@
 #include <tls.h>
 #include <openssl/rsa.h>
 
+ /*
+  * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+  */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
 /* tls_tmp_rsa_cb - call-back to generate ephemeral RSA key */
 
 RSA    *tls_tmp_rsa_cb(SSL *unused_ssl, int export, int keylength)
@@ -90,6 +95,7 @@ RSA    *tls_tmp_rsa_cb(SSL *unused_ssl, int export, int keylength)
 
     return (rsa_tmp);
 }
+#endif /* OPENSSL_VERSION_NUMBER */
 
 #ifdef TEST
 
@@ -97,8 +103,12 @@ RSA    *tls_tmp_rsa_cb(SSL *unused_ssl, int export, int keylength)
 
 int     main(int unused_argc, char *const argv[])
 {
+    int     ok = 0;
+    /*
+     * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+     */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     RSA    *rsa;
-    int     ok;
 
     msg_vstream_init(argv[0], VSTREAM_ERR);
 
@@ -111,6 +121,7 @@ int     main(int unused_argc, char *const argv[])
     /* Non-export or unexpected bit length should fail */
     ok = ok && tls_tmp_rsa_cb(0, 0, 512) == 0;
     ok = ok && tls_tmp_rsa_cb(0, 1, 1024) == 0;
+#endif
 
     return ok ? 0 : 1;
 }
diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index 0fd842241..8320aea53 100644
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -560,12 +560,17 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
 	return (0);
     }
 
+    /*
+     * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+     */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     /*
      * According to OpenSSL documentation, a temporary RSA key is needed when
      * export ciphers are in use, because the certified key cannot be
      * directly used.
      */
     SSL_CTX_set_tmp_rsa_callback(server_ctx, tls_tmp_rsa_cb);
+#endif
 
     /*
      * Diffie-Hellman key generation parameters can either be loaded from