From bed72631f97d141c8878392a7441fde56192f103 Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Fri, 11 Feb 2022 12:04:53 +0100
Subject: [PATCH] MINOR: ssl: Build local DH of right size when needed

The current way the local DH structures are built relies on the fact
that the ssl_get_tmp_dh function would only be called as a callback
during a DHE negotiation, so after all the SSL contexts are built and
the init is over. With OpenSSLv3, this function will now be called
during init, so before those objects are curretly built.
This patch ensures that when calling ssl_get_tmp_dh and trying to use
one of or hard-coded DH parameters, it will be created if it did not
exist yet.
The current DH parameter creation is also kept so that with versions
before OpenSSLv3 we don't end up creating this DH object during a
handshake.
---
 src/ssl_sock.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1af45eb2e..27d3d527d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3110,12 +3110,18 @@ static DH *ssl_get_tmp_dh(EVP_PKEY *pkey)
 	}
 
 	if (keylen >= 4096) {
+		if (!local_dh_4096)
+			local_dh_4096 = ssl_get_dh_4096();
 		dh = local_dh_4096;
 	}
 	else if (keylen >= 2048) {
+		if (!local_dh_2048)
+			local_dh_2048 = ssl_get_dh_2048();
 		dh = local_dh_2048;
 	}
 	else {
+		if (!local_dh_1024)
+			local_dh_1024 = ssl_get_dh_1024();
 		dh = local_dh_1024;
 	}