From: Viktor Dukhovni <postfix-users@dukhovni.org>
Date: Sun, 10 Jan 2016 07:57:53 +0000 (-0500)
Subject: Bitrot: OpenSSL 1.1.0-dev drops EXPORT ciphers and ephemeral RSA
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=899ae15e91e5661c781e852d69374604d3f4af49;p=thirdparty%2Fpostfix.git

Bitrot: OpenSSL 1.1.0-dev drops EXPORT ciphers and ephemeral RSA
---

diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index d11a9ca36..da50ad211 100644
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -465,12 +465,17 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
 	return (0);
     }
 
+    /*
+     * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+     */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     /*
      * According to the OpenSSL documentation, temporary RSA key is needed
      * export ciphers are in use. We have to provide one, so well, we just do
      * it.
      */
     SSL_CTX_set_tmp_rsa_callback(client_ctx, tls_tmp_rsa_cb);
+#endif
 
     /*
      * Finally, the setup for the server certificate checking, done "by the
diff --git a/postfix/src/tls/tls_rsa.c b/postfix/src/tls/tls_rsa.c
index cb1476b8a..3e85e19d9 100644
--- a/postfix/src/tls/tls_rsa.c
+++ b/postfix/src/tls/tls_rsa.c
@@ -48,6 +48,11 @@
 #define TLS_INTERNAL
 #include <tls.h>
 
+ /*
+  * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+  */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
 /* tls_tmp_rsa_cb - call-back to generate ephemeral RSA key */
 
 RSA *tls_tmp_rsa_cb(SSL *unused_ssl, int unused_export, int keylength)
@@ -60,15 +65,23 @@ RSA *tls_tmp_rsa_cb(SSL *unused_ssl, int unused_export, int keylength)
 	rsa_tmp = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
     return (rsa_tmp);
 }
+#endif /* OPENSSL_VERSION_NUMBER */
 
 #ifdef TEST
 
 int main(int unused_argc, char **unused_argv)
 {
-    tls_tmp_rsa_cb(0, 1, 512);
-    tls_tmp_rsa_cb(0, 1, 1024);
-    tls_tmp_rsa_cb(0, 1, 2048);
-    tls_tmp_rsa_cb(0, 0, 512);
+    int     ok = 1;
+    /*
+     * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+     */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    ok = ok && tls_tmp_rsa_cb(0, 1, 512) != 0;
+    ok = ok && tls_tmp_rsa_cb(0, 0, 1024) != 0;
+    ok = ok && tls_tmp_rsa_cb(0, 0, 2048) != 0;
+#endif
+
+    return ok ? 0 : 1;
 }
 
 #endif
diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index a1cbf9f1e..71543b9c9 100644
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -506,12 +506,17 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
 	return (0);
     }
 
+    /*
+     * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+     */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     /*
      * According to OpenSSL documentation, a temporary RSA key is needed when
      * export ciphers are in use, because the certified key cannot be
      * directly used.
      */
     SSL_CTX_set_tmp_rsa_callback(server_ctx, tls_tmp_rsa_cb);
+#endif
 
     /*
      * Diffie-Hellman key generation parameters can either be loaded from