diff options
author | Matt Caswell <matt@openssl.org> | 2020-10-15 16:45:54 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-11-18 14:14:52 +0000 |
commit | 163f6dc1f70f30de46a68137c36e70cae4d95cd8 (patch) | |
tree | c7f1c37b230a8f226b716b65736c2b1cb236cfd4 /ssl/ssl_conf.c | |
parent | 9912be1b33bf2a65672d70ad75e07e0d63d33df3 (diff) |
Implement a replacement for SSL_set_tmp_dh()
The old function took a DH as a parameter. In the new version we pass
an EVP_PKEY instead. Similarly for the SSL_CTX version of this function.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
Diffstat (limited to 'ssl/ssl_conf.c')
-rw-r--r-- | ssl/ssl_conf.c | 48 |
1 files changed, 32 insertions, 16 deletions
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 2311df5d84..2e8240c73b 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -11,7 +11,8 @@ #include "ssl_local.h" #include <openssl/conf.h> #include <openssl/objects.h> -#include <openssl/dh.h> +#include <openssl/decoder.h> +#include <openssl/core_dispatch.h> #include "internal/nelem.h" /* @@ -574,34 +575,51 @@ static int cmd_ClientCAStore(SSL_CONF_CTX *cctx, const char *value) return cmd_RequestCAStore(cctx, value); } -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) -/* TODO(3.0): We need a 3.0 friendly way of doing this */ static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) { int rv = 0; - DH *dh = NULL; + EVP_PKEY *dhpkey = NULL; BIO *in = NULL; - if (cctx->ctx || cctx->ssl) { + SSL_CTX *sslctx = (cctx->ssl != NULL) ? cctx->ssl->ctx : cctx->ctx; + OSSL_DECODER_CTX *decoderctx = NULL; + + if (cctx->ctx != NULL || cctx->ssl != NULL) { in = BIO_new(BIO_s_file()); if (in == NULL) goto end; if (BIO_read_filename(in, value) <= 0) goto end; - dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); - if (dh == NULL) + + decoderctx + = OSSL_DECODER_CTX_new_by_EVP_PKEY(&dhpkey, "PEM", NULL, "DH", + OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, + sslctx->libctx, sslctx->propq); + if (decoderctx == NULL + || !OSSL_DECODER_from_bio(decoderctx, in)) { + OSSL_DECODER_CTX_free(decoderctx); + goto end; + } + OSSL_DECODER_CTX_free(decoderctx); + + if (dhpkey == NULL) goto end; - } else + } else { return 1; - if (cctx->ctx) - rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); - if (cctx->ssl) - rv = SSL_set_tmp_dh(cctx->ssl, dh); + } + + if (cctx->ctx != NULL) { + if ((rv = SSL_CTX_set0_tmp_dh_pkey(cctx->ctx, dhpkey)) > 0) + dhpkey = NULL; + } + if (cctx->ssl != NULL) { + if ((rv = SSL_set0_tmp_dh_pkey(cctx->ssl, dhpkey)) > 0) + dhpkey = NULL; + } end: - DH_free(dh); + EVP_PKEY_free(dhpkey); BIO_free(in); return rv > 0; } -#endif static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) { @@ -727,11 +745,9 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD(ClientCAStore, NULL, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_STORE), -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_FILE), -#endif SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0), SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER), }; |