From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Fri, 11 Feb 2022 11:04:50 +0000 (+0100)
Subject: MINOR: ssl: Add ssl_sock_set_tmp_dh helper function
X-Git-Tag: v2.6-dev2~176
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=846eda91bab19c63bbdcac8d46ae20f47c1edb9d;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Add ssl_sock_set_tmp_dh helper function

Starting from OpenSSLv3, the SSL_CTX_set_tmp_dh function is deprecated
and it should be replaced by SSL_CTX_set0_tmp_dh_pkey, which takes an
EVP_PKEY instead of a DH parameter. Since this function is new to
OpenSSLv3 and its use requires an extra EVP_PKEY_up_ref call, we will
keep the two versions side by side, otherwise it would require to get
rid of all DH references in older OpenSSL versions as well.
This helper function is not used yet so this commit should be strictly
iso-functional, regardless of the OpenSSL version.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d615593194..f75a454767 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3091,6 +3091,23 @@ static DH *ssl_get_tmp_dh_cbk(SSL *ssl, int export, int keylen)
 	return ssl_get_tmp_dh(pkey);
 }
 
+static int ssl_sock_set_tmp_dh(SSL_CTX *ctx, HASSL_DH *dh)
+{
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
+	return SSL_CTX_set_tmp_dh(ctx, dh);
+#else
+	int retval = 0;
+	HASSL_DH_up_ref(dh);
+
+	retval = SSL_CTX_set0_tmp_dh_pkey(ctx, dh);
+
+	if (!retval)
+		HASSL_DH_free(dh);
+
+	return retval;
+#endif
+}
+
 HASSL_DH *ssl_sock_get_dh_from_bio(BIO *bio)
 {
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)