MINOR: ssl: Add ssl_sock_set_tmp_dh helper function Starting from OpenSSLv3, the SSL_CTX_set_tmp_dh function is deprecated and it should be replaced by SSL_CTX_set0_tmp_dh_pkey, which takes an EVP_PKEY instead of a DH parameter. Since this function is new to OpenSSLv3 and its use requires an extra EVP_PKEY_up_ref call, we will keep the two versions side by side, otherwise it would require to get rid of all DH references in older OpenSSL versions as well. This helper function is not used yet so this commit should be strictly iso-functional, regardless of the OpenSSL version.

commit: 846eda91bab19c63bbdcac8d46ae20f47c1edb9d [log] [tgz]
author: Remi Tricot-Le Breton <rlebreton@haproxy.com> Fri Feb 11 12:04:50 2022 +0100
committer: William Lallemand <wlallemand@haproxy.org> Mon Feb 14 10:07:14 2022 +0100
tree: ca1083a75cec92099045654104c6413ea49a084c
parent: 292a88ce94a0d0b56252be1f89f26a31f891415d [diff] [blame]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d615593..f75a454 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3091,6 +3091,23 @@
 	return ssl_get_tmp_dh(pkey);
 }
 
+static int ssl_sock_set_tmp_dh(SSL_CTX *ctx, HASSL_DH *dh)
+{
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
+	return SSL_CTX_set_tmp_dh(ctx, dh);
+#else
+	int retval = 0;
+	HASSL_DH_up_ref(dh);
+
+	retval = SSL_CTX_set0_tmp_dh_pkey(ctx, dh);
+
+	if (!retval)
+		HASSL_DH_free(dh);
+
+	return retval;
+#endif
+}
+
 HASSL_DH *ssl_sock_get_dh_from_bio(BIO *bio)
 {
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
commit	846eda91bab19c63bbdcac8d46ae20f47c1edb9d	[log] [tgz]
author	Remi Tricot-Le Breton <rlebreton@haproxy.com>	Fri Feb 11 12:04:50 2022 +0100
committer	William Lallemand <wlallemand@haproxy.org>	Mon Feb 14 10:07:14 2022 +0100
tree	ca1083a75cec92099045654104c6413ea49a084c
parent	292a88ce94a0d0b56252be1f89f26a31f891415d [diff] [blame]