MINOR: ssl: Add ssl_sock_set_tmp_dh_from_pkey helper function

This helper function will only be used with OpenSSLv3. It simply sets in
an SSL_CTX a set of DH parameters of the same size as a certificate's
private key. This logic is the same as the one used with older versions,
it simply relies on new APIs.
If no pkey can be found the SSL_CTX_set_dh_auto function wll be called,
making the SSL_CTX rely on DH parameters provided by OpenSSL in case of
DHE negotiation.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f75a454767d8c6574670eede37cc46f997ee2aea..cb363cf55368cc06095fa3d64eb5330af850ff2d 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3108,6 +3108,20 @@ static int ssl_sock_set_tmp_dh(SSL_CTX *ctx, HASSL_DH *dh)
 #endif
 }
 
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+static void ssl_sock_set_tmp_dh_from_pkey(SSL_CTX *ctx, EVP_PKEY *pkey)
+{
+       HASSL_DH *dh = NULL;
+       if (pkey && (dh = ssl_get_tmp_dh(pkey))) {
+               HASSL_DH_up_ref(dh);
+               if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dh))
+                       HASSL_DH_free(dh);
+       }
+       else
+               SSL_CTX_set_dh_auto(ctx, 1);
+}
+#endif
+
 HASSL_DH *ssl_sock_get_dh_from_bio(BIO *bio)
 {
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)