MINOR: ssl: Add ssl_sock_get_dh_from_bio helper function

This new function makes use of the new OpenSSLv3 APIs that should be
used to load DH parameters from a file (or a BIO in this case) and that
should replace the deprecated PEM_read_bio_DHparams function.
Note that this function returns an EVP_PKEY when using OpenSSLv3 since
they now advise against using low level structures such as DH ones.
This helper function is not used yet so this commit should be stricly
iso-functional, regardless of the OpenSSL version.

diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index e80ad2dd4c1617e1af0abb9b40749fff91fa6cba..cd1c2d4029462d18ef5d03249eb9a39190a923db 100644 (file)
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -95,6 +95,7 @@ struct tls_keys_ref *tlskeys_ref_lookup(const char *filename);
 struct tls_keys_ref *tlskeys_ref_lookupid(int unique_id);
 #endif
 #ifndef OPENSSL_NO_DH
+HASSL_DH *ssl_sock_get_dh_from_bio(BIO *bio);
 int ssl_sock_load_global_dh_param_from_file(const char *filename);
 void ssl_free_dh(void);
 #endif

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b360f714bcf26c5c3c57bfccb01a0d11dec229d4..41a716573dce57ad187af1b072ba8b9f21c3b879 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3084,6 +3084,40 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
        return dh;
 }
 
+HASSL_DH *ssl_sock_get_dh_from_bio(BIO *bio)
+{
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+       HASSL_DH *dh = NULL;
+       OSSL_DECODER_CTX *dctx = NULL;
+       const char *format = "PEM";
+       const char *keytype = "DH";
+
+       dctx = OSSL_DECODER_CTX_new_for_pkey(&dh, format, NULL, keytype,
+                                            OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
+                                            NULL, NULL);
+
+       if (dctx == NULL || OSSL_DECODER_CTX_get_num_decoders(dctx) == 0)
+               goto end;
+
+       /* The DH parameters might not be the first section found in the PEM
+        * file so we need to iterate over all of them until we find the right
+        * one.
+        */
+       while (!BIO_eof(bio) && !dh)
+               OSSL_DECODER_from_bio(dctx, bio);
+
+end:
+       OSSL_DECODER_CTX_free(dctx);
+       return dh;
+#else
+       HASSL_DH *dh = NULL;
+
+       dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+
+       return dh;
+#endif
+}
+
 static DH * ssl_sock_get_dh_from_file(const char *filename)
 {
        DH *dh = NULL;