From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Fri, 11 Feb 2022 11:04:52 +0000 (+0100)
Subject: MINOR: ssl: Add ssl_new_dh_fromdata helper function
X-Git-Tag: v2.6-dev2~174
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7f6425a130c1b34434d546741b6242dbdafb5406;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Add ssl_new_dh_fromdata helper function

Starting from OpenSSLv3, the DH_set0_pqg function is deprecated and the
use of DH objects directly is advised against so this new helper
function will be used to convert our hard-coded DH parameters into an
EVP_PKEY. It relies on the new OSSL_PARAM mechanism, as described in the
EVP_PKEY-DH manpage.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cb363cf553..1af45eb2ec 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2899,6 +2899,46 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
 
 #ifndef OPENSSL_NO_DH
 
+static inline HASSL_DH *ssl_new_dh_fromdata(BIGNUM *p, BIGNUM *g)
+{
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+	OSSL_PARAM_BLD *tmpl = NULL;
+	OSSL_PARAM *params = NULL;
+	EVP_PKEY_CTX *ctx = NULL;
+	EVP_PKEY *pkey = NULL;
+
+	if ((tmpl = OSSL_PARAM_BLD_new()) == NULL
+	    || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
+	    || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g)
+	    || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
+		goto end;
+	}
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+	if (ctx == NULL
+	    || !EVP_PKEY_fromdata_init(ctx)
+	    || !EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params)) {
+		goto end;
+	}
+
+end:
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	OSSL_PARAM_BLD_free(tmpl);
+	return pkey;
+#else
+
+	DH *dh = DH_new();
+
+	if (!dh)
+		return NULL;
+
+	DH_set0_pqg(dh, p, NULL, g);
+
+	return dh;
+#endif
+}
+
+
 static DH * ssl_get_dh_1024(void)
 {
 	static unsigned char dh1024_p[]={