From a32d507d0ce71536cba3d754844a9a55844da3f0 Mon Sep 17 00:00:00 2001
From: Rainer Jung <rjung@apache.org>
Date: Wed, 10 Aug 2016 21:11:28 +0000
Subject: [PATCH] Support for OpenSSL 1.1.0: - DH was made opaque

Backport of r1738410 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755862 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/ssl/ssl_engine_init.c | 41 ++++++++++++++++++++++++++++++-----
 modules/ssl/ssl_private.h     |  1 +
 2 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 543fe572eb4..6b09f8dd134 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -47,21 +47,50 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
 #define KEYTYPES "RSA or DSA"
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+/* OpenSSL Pre-1.1.0 compatibility */
+/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+    /* q is optional */
+    if (p == NULL || g == NULL)
+        return 0;
+    BN_free(dh->p);
+    BN_free(dh->q);
+    BN_free(dh->g);
+    dh->p = p;
+    dh->q = q;
+    dh->g = g;
+
+    if (q != NULL) {
+        dh->length = BN_num_bits(q);
+    }
+
+    return 1;
+}
+#endif
+
 /*
  * Grab well-defined DH parameters from OpenSSL, see the get_rfc*
  * functions in <openssl/bn.h> for all available primes.
  */
-static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)
+static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *))
 {
     DH *dh = DH_new();
+    BIGNUM *p, *g;
 
     if (!dh) {
         return NULL;
     }
-    dh->p = prime(NULL);
-    BN_dec2bn(&dh->g, gen);
-    if (!dh->p || !dh->g) {
+    p = prime(NULL);
+    g = BN_new();
+    if (g != NULL) {
+        BN_set_word(g, 2);
+    }
+    if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) {
         DH_free(dh);
+        BN_free(p);
+        BN_free(g);
         return NULL;
     }
     return dh;
@@ -86,7 +115,7 @@ static void init_dh_params(void)
     unsigned n;
 
     for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++)
-        dhparams[n].dh = make_dh_params(dhparams[n].prime, "2");
+        dhparams[n].dh = make_dh_params(dhparams[n].prime);
 }
 
 static void free_dh_params(void)
@@ -1252,7 +1281,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
         SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                      "Custom DH parameters (%d bits) for %s loaded from %s",
-                     BN_num_bits(dhparams->p), vhost_id, certfile);
+                     DH_bits(dhparams), vhost_id, certfile);
         DH_free(dhparams);
     }
 
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index b173b597885..934afa6f561 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -205,6 +205,7 @@
 #define BIO_set_data(x,v)     (x->ptr=v)
 #define BIO_get_shutdown(x)   (x->shutdown)
 #define BIO_set_shutdown(x,v) (x->shutdown=v)
+#define DH_bits(x)            (BN_num_bits(x->p))
 #else
 void init_bio_methods(void);
 void free_bio_methods(void);
-- 
2.47.2