From 846eda91bab19c63bbdcac8d46ae20f47c1edb9d Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Fri, 11 Feb 2022 12:04:50 +0100
Subject: [PATCH] MINOR: ssl: Add ssl_sock_set_tmp_dh helper function

Starting from OpenSSLv3, the SSL_CTX_set_tmp_dh function is deprecated
and it should be replaced by SSL_CTX_set0_tmp_dh_pkey, which takes an
EVP_PKEY instead of a DH parameter. Since this function is new to
OpenSSLv3 and its use requires an extra EVP_PKEY_up_ref call, we will
keep the two versions side by side, otherwise it would require to get
rid of all DH references in older OpenSSL versions as well.
This helper function is not used yet so this commit should be strictly
iso-functional, regardless of the OpenSSL version.
---
 src/ssl_sock.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d61559319..f75a45476 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3091,6 +3091,23 @@ static DH *ssl_get_tmp_dh_cbk(SSL *ssl, int export, int keylen)
 	return ssl_get_tmp_dh(pkey);
 }
 
+static int ssl_sock_set_tmp_dh(SSL_CTX *ctx, HASSL_DH *dh)
+{
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
+	return SSL_CTX_set_tmp_dh(ctx, dh);
+#else
+	int retval = 0;
+	HASSL_DH_up_ref(dh);
+
+	retval = SSL_CTX_set0_tmp_dh_pkey(ctx, dh);
+
+	if (!retval)
+		HASSL_DH_free(dh);
+
+	return retval;
+#endif
+}
+
 HASSL_DH *ssl_sock_get_dh_from_bio(BIO *bio)
 {
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)