From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Fri, 11 Feb 2022 11:04:49 +0000 (+0100)
Subject: MINOR: ssl: Factorize ssl_get_tmp_dh and append a cbk to its name
X-Git-Tag: v2.6-dev2~177
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=292a88ce94a0d0b56252be1f89f26a31f891415d;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Factorize ssl_get_tmp_dh and append a cbk to its name

In the upcoming OpenSSLv3 specific patches, we will make use of the
newly created ssl_get_tmp_dh that returns an EVP_PKEY containing DH
parameters of the same size as a bind line's RSA or DSA private key.
The previously named ssl_get_tmp_dh function was renamed
ssl_get_tmp_dh_cbk because it is only used as a callback passed to
OpenSSL through SSL_CTX_set_tmp_dh_callback calls.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 41a716573d..d615593194 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -471,7 +471,7 @@ static DH *global_dh = NULL;
 static DH *local_dh_1024 = NULL;
 static DH *local_dh_2048 = NULL;
 static DH *local_dh_4096 = NULL;
-static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen);
+static DH *ssl_get_tmp_dh_cbk(SSL *ssl, int export, int keylen);
 #endif /* OPENSSL_NO_DH */
 
 #if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
@@ -2237,7 +2237,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
 	if (newcrt) X509_free(newcrt);
 
 #ifndef OPENSSL_NO_DH
-	SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_get_tmp_dh);
+	SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_get_tmp_dh_cbk);
 #endif
 
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
@@ -3050,13 +3050,11 @@ static DH *ssl_get_dh_4096(void)
 	return dh;
 }
 
-/* Returns Diffie-Hellman parameters matching the private key length
-   but not exceeding global_ssl.default_dh_param */
-static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
+static DH *ssl_get_tmp_dh(EVP_PKEY *pkey)
 {
 	DH *dh = NULL;
-	EVP_PKEY *pkey = SSL_get_privatekey(ssl);
 	int type;
+	int keylen = 0;
 
 	type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
 
@@ -3084,6 +3082,15 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
 	return dh;
 }
 
+/* Returns Diffie-Hellman parameters matching the private key length
+   but not exceeding global_ssl.default_dh_param */
+static DH *ssl_get_tmp_dh_cbk(SSL *ssl, int export, int keylen)
+{
+	EVP_PKEY *pkey = SSL_get_privatekey(ssl);
+
+	return ssl_get_tmp_dh(pkey);
+}
+
 HASSL_DH *ssl_sock_get_dh_from_bio(BIO *bio)
 {
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
@@ -3351,7 +3358,7 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 			}
 		}
 		else {
-			SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
+			SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk);
 		}
 	}