From: Joe Orton Date: Fri, 21 May 2021 09:58:14 +0000 (+0000) Subject: mod_ssl: Switch to using OpenSSL's automatic internal DH parameter X-Git-Tag: 2.5.0-alpha2-ci-test-only~937 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ce47de74a7b7746107c4eced3abd5985baf690f;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl: Switch to using OpenSSL's automatic internal DH parameter generation from OpenSSL 1.1.0 and later. The SSL_set_tmp_dh_callback() API is deprecated from OpenSSL 3.0 onwards. Should not be a user-visible change (except mod_ssl gets smaller). * modules/ssl/ssl_private.h, modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Drop internal DH parameter generation and callback for OpenSSL 1.1+, use SSL_CTX_set_dh_auto(, 1) instead. Github: closes #188 Reviewed by: rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890067 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 6ecc5df69bc..bd11f975f71 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -92,7 +92,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) return 1; } -#endif /* * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* @@ -172,6 +171,7 @@ DH *modssl_get_dh_params(unsigned keylen) return NULL; /* impossible to reach. */ } +#endif static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf, server_rec *s) @@ -456,8 +456,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ +#if MODSSL_USE_OPENSSL_PRE_1_1_API init_dh_params(); -#if !MODSSL_USE_OPENSSL_PRE_1_1_API +#else init_bio_methods(); #endif @@ -918,7 +919,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, { SSL_CTX *ctx = mctx->ssl_ctx; +#if MODSSL_USE_OPENSSL_PRE_1_1_API SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); +#else + SSL_CTX_set_dh_auto(ctx, 1); +#endif /* The info callback is used for debug-level tracing. For OpenSSL * versions where SSL_OP_NO_RENEGOTIATION is not available, the @@ -2361,10 +2366,11 @@ apr_status_t ssl_init_ModuleKill(void *data) } -#if !MODSSL_USE_OPENSSL_PRE_1_1_API +#if MODSSL_USE_OPENSSL_PRE_1_1_API + free_dh_params(); +#else free_bio_methods(); #endif - free_dh_params(); return APR_SUCCESS; } diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 8e7437bf6c0..eb97f6b64ff 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1704,6 +1704,7 @@ const authz_provider ssl_authz_provider_verify_client = ** _________________________________________________________________ */ +#if MODSSL_USE_OPENSSL_PRE_1_1_API /* * Hand out standard DH parameters, based on the authentication strength */ @@ -1749,6 +1750,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) return modssl_get_dh_params(keylen); } +#endif /* * This OpenSSL callback function is called when OpenSSL diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 67176652cfb..7eb9a364b04 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -1150,10 +1150,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx); #endif +#if MODSSL_USE_OPENSSL_PRE_1_1_API /* Retrieve DH parameters for given key length. Return value should * be treated as unmutable, since it is stored in process-global * memory. */ DH *modssl_get_dh_params(unsigned keylen); +#endif /* Returns non-zero if the request was made over SSL/TLS. If sslconn * is non-NULL and the request is using SSL/TLS, sets *sslconn to the