From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Fri, 11 Feb 2022 11:04:51 +0000 (+0100)
Subject: MINOR: ssl: Add ssl_sock_set_tmp_dh_from_pkey helper function
X-Git-Tag: v2.6-dev2~175
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f17930572c30fb21197b7feeb529a2c114af840;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Add ssl_sock_set_tmp_dh_from_pkey helper function

This helper function will only be used with OpenSSLv3. It simply sets in
an SSL_CTX a set of DH parameters of the same size as a certificate's
private key. This logic is the same as the one used with older versions,
it simply relies on new APIs.
If no pkey can be found the SSL_CTX_set_dh_auto function wll be called,
making the SSL_CTX rely on DH parameters provided by OpenSSL in case of
DHE negotiation.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f75a454767..cb363cf553 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3108,6 +3108,20 @@ static int ssl_sock_set_tmp_dh(SSL_CTX *ctx, HASSL_DH *dh)
 #endif
 }
 
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+static void ssl_sock_set_tmp_dh_from_pkey(SSL_CTX *ctx, EVP_PKEY *pkey)
+{
+	HASSL_DH *dh = NULL;
+	if (pkey && (dh = ssl_get_tmp_dh(pkey))) {
+		HASSL_DH_up_ref(dh);
+		if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dh))
+			HASSL_DH_free(dh);
+	}
+	else
+		SSL_CTX_set_dh_auto(ctx, 1);
+}
+#endif
+
 HASSL_DH *ssl_sock_get_dh_from_bio(BIO *bio)
 {
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)