commit 7f6425a130c1b34434d546741b6242dbdafb5406
author Remi Tricot-Le Breton <rlebreton@haproxy.com> Fri Feb 11 12:04:52 2022 +0100
committer William Lallemand <wlallemand@haproxy.org> Mon Feb 14 10:07:14 2022 +0100
tree 3267d1a3e2c67a45991e9b5aa9da251696f9a623
parent 5f17930572c30fb21197b7feeb529a2c114af840

MINOR: ssl: Add ssl_new_dh_fromdata helper function

Starting from OpenSSLv3, the DH_set0_pqg function is deprecated and the
use of DH objects directly is advised against so this new helper
function will be used to convert our hard-coded DH parameters into an
EVP_PKEY. It relies on the new OSSL_PARAM mechanism, as described in the
EVP_PKEY-DH manpage.

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cb363cf..1af45eb 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2899,6 +2899,46 @@
 
 #ifndef OPENSSL_NO_DH
 
+static inline HASSL_DH *ssl_new_dh_fromdata(BIGNUM *p, BIGNUM *g)
+{
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+	OSSL_PARAM_BLD *tmpl = NULL;
+	OSSL_PARAM *params = NULL;
+	EVP_PKEY_CTX *ctx = NULL;
+	EVP_PKEY *pkey = NULL;
+
+	if ((tmpl = OSSL_PARAM_BLD_new()) == NULL
+	    || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
+	    || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g)
+	    || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
+		goto end;
+	}
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+	if (ctx == NULL
+	    || !EVP_PKEY_fromdata_init(ctx)
+	    || !EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params)) {
+		goto end;
+	}
+
+end:
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	OSSL_PARAM_BLD_free(tmpl);
+	return pkey;
+#else
+
+	DH *dh = DH_new();
+
+	if (!dh)
+		return NULL;
+
+	DH_set0_pqg(dh, p, NULL, g);
+
+	return dh;
+#endif
+}
+
+
 static DH * ssl_get_dh_1024(void)
 {
 	static unsigned char dh1024_p[]={