# NAME

**SSL_CTX_set_tmp_rsa_callback**,

**SSL_CTX_set_tmp_rsa**,

**SSL_CTX_need_tmp_rsa**,

**SSL_set_tmp_rsa_callback**,

**SSL_set_tmp_rsa**,

**SSL_need_tmp_rsa**— handle RSA keys for ephemeral key exchange

# SYNOPSIS

**#include <openssl/ssl.h>**

*void*

**SSL_CTX_set_tmp_rsa_callback**(

*SSL_CTX *ctx*,

*RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)*);

*long*

**SSL_CTX_set_tmp_rsa**(

*SSL_CTX *ctx*,

*RSA *rsa*);

*long*

**SSL_CTX_need_tmp_rsa**(

*SSL_CTX *ctx*);

*void*

**SSL_set_tmp_rsa_callback**(

*SSL_CTX *ctx*,

*RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)*);

*long*

**SSL_set_tmp_rsa**(

*SSL *ssl*,

*RSA *rsa*);

*long*

**SSL_need_tmp_rsa**(

*SSL *ssl*);

*RSA **

**(*tmp_rsa_callback)**(

*SSL *ssl*,

*int is_export*,

*int keylength*);

# DESCRIPTION

**SSL_CTX_set_tmp_rsa_callback**() sets the callback function for

*ctx*to be used when a temporary/ephemeral RSA key is required to

*tmp_rsa_callback*. The callback is inherited by all SSL objects newly created from

*ctx*with SSL_new(3). Already created SSL objects are not affected.

**SSL_CTX_set_tmp_rsa**() sets the temporary/ephemeral RSA key to be used to be

*rsa*. The key is inherited by all SSL objects newly created from

*ctx*with SSL_new(3). Already created SSL objects are not affected.

**SSL_CTX_need_tmp_rsa**() returns 1, if a temporary/ephemeral RSA key is needed for RSA-based strength-limited ‘exportable’ ciphersuites because a RSA key with a keysize larger than 512 bits is installed.

**SSL_set_tmp_rsa_callback**() sets the callback only for

*ssl*.

**SSL_set_tmp_rsa**() sets the key only for

*ssl*.

**SSL_need_tmp_rsa**() returns 1, if a temporary/ephemeral RSA key is needed for RSA-based strength-limited ‘exportable’ ciphersuites because a RSA key with a keysize larger than 512 bits is installed.

# NOTES

When using a cipher with RSA authentication, an ephemeral RSA key exchange can take place. In this case the session data are negotiated using the ephemeral/temporary RSA key and the RSA key supplied and certified by the certificate chain is only used for signing.*tmp_rsa_callback*is called with the

*keylength*needed and the

*is_export*information. The

*is_export*flag is set when the ephemeral RSA key exchange is performed with an export cipher.

# RETURN VALUES

**SSL_CTX_set_tmp_rsa_callback**() and

**SSL_set_tmp_rsa_callback**() do not return diagnostic output.

**SSL_CTX_set_tmp_rsa**() and

**SSL_set_tmp_rsa**() return 1 on success and 0 on failure. Check the error queue to find out the reason of failure.

**SSL_CTX_need_tmp_rsa**() and

**SSL_need_tmp_rsa**() return 1 if a temporary RSA key is needed and 0 otherwise.

# EXAMPLES

Generate temporary RSA keys to prepare ephemeral RSA key exchange. As the generation of a RSA key costs a lot of computer time, they are saved for later reuse. For demonstration purposes, two keys for 512 bits and 1024 bits respectively are generated.... /* Set up ephemeral RSA stuff */ RSA *rsa_512 = NULL; RSA *rsa_1024 = NULL; rsa_512 = RSA_generate_key(512, RSA_F4, NULL, NULL); if (rsa_512 == NULL) evaluate_error_queue(); rsa_1024 = RSA_generate_key(1024, RSA_F4, NULL, NULL); if (rsa_1024 == NULL) evaluate_error_queue(); ... RSA * tmp_rsa_callback(SSL *s, int is_export, int keylength) { RSA *rsa_tmp = NULL; switch (keylength) { case 512: if (rsa_512) rsa_tmp = rsa_512; else { /* * generate on the fly, * should not happen in this example */ rsa_tmp = RSA_generate_key(keylength, RSA_F4, NULL, NULL); rsa_512 = rsa_tmp; /* Remember for later reuse */ } break; case 1024: if (rsa_1024) rsa_tmp = rsa_1024; else should_not_happen_in_this_example(); break; default: /* * Generating a key on the fly is very costly, * so use what is there */ if (rsa_1024) rsa_tmp = rsa_1024; else /* Use at least a shorter key */ rsa_tmp = rsa_512; } return rsa_tmp; }