From: Remi Tricot-Le Breton Date: Fri, 11 Feb 2022 11:04:56 +0000 (+0100) Subject: MINOR: ssl: Remove calls to SSL_CTX_set_tmp_dh_callback on OpenSSLv3 X-Git-Tag: v2.6-dev2~170 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=88c5695c6706cecf6ca91ba553b298c0563d86f6;p=thirdparty%2Fhaproxy.git MINOR: ssl: Remove calls to SSL_CTX_set_tmp_dh_callback on OpenSSLv3 The SSL_CTX_set_tmp_dh_callback function was marked as deprecated in OpenSSLv3 so this patch replaces this callback mechanism by a direct set of DH parameters during init. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 789601e40d..758b029d8c 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -471,7 +471,11 @@ static HASSL_DH *global_dh = NULL; static HASSL_DH *local_dh_1024 = NULL; static HASSL_DH *local_dh_2048 = NULL; static HASSL_DH *local_dh_4096 = NULL; +#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) static DH *ssl_get_tmp_dh_cbk(SSL *ssl, int export, int keylen); +#else +static void ssl_sock_set_tmp_dh_from_pkey(SSL_CTX *ctx, EVP_PKEY *pkey); +#endif #endif /* OPENSSL_NO_DH */ #if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES) @@ -2237,7 +2241,11 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL if (newcrt) X509_free(newcrt); #ifndef OPENSSL_NO_DH +#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_get_tmp_dh_cbk); +#else + ssl_sock_set_tmp_dh_from_pkey(ssl_ctx, pkey); +#endif #endif #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) @@ -3119,6 +3127,7 @@ static HASSL_DH *ssl_get_tmp_dh(EVP_PKEY *pkey) return dh; } +#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) /* Returns Diffie-Hellman parameters matching the private key length but not exceeding global_ssl.default_dh_param */ static HASSL_DH *ssl_get_tmp_dh_cbk(SSL *ssl, int export, int keylen) @@ -3127,6 +3136,7 @@ static HASSL_DH *ssl_get_tmp_dh_cbk(SSL *ssl, int export, int keylen) return ssl_get_tmp_dh(pkey); } +#endif static int ssl_sock_set_tmp_dh(SSL_CTX *ctx, HASSL_DH *dh) { @@ -3426,7 +3436,11 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain } } else { +#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk); +#else + ssl_sock_set_tmp_dh_from_pkey(ctx, ckch ? ckch->key : NULL); +#endif } }