mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 22:31:28 +02:00
Code Issues Projects Releases Wiki Activity

BUILD: ssl: fix build with -DOPENSSL_NO_DH

Browse Source
This commit is contained in:
Emmanuel Hocdet 2017-03-03 17:04:14 +01:00 committed by Willy Tarreau
parent 4de1ff1fd6
commit cc6c2a2cb7
1 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/ssl_sock.c
View File

@ -176,6 +176,7 @@ static DH *global_dh = NULL;
static DH *local_dh_1024 = NULL; static DH *local_dh_1024 = NULL;
static DH *local_dh_2048 = NULL; static DH *local_dh_2048 = NULL;
static DH *local_dh_4096 = NULL; static DH *local_dh_4096 = NULL;
static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen);
#endif /* OPENSSL_NO_DH */ #endif /* OPENSSL_NO_DH */
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES) #if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
@ -1215,7 +1216,6 @@ static int ssl_sock_advertise_alpn_protos(SSL *s, const unsigned char **out,
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
#ifndef SSL_NO_GENERATE_CERTIFICATES #ifndef SSL_NO_GENERATE_CERTIFICATES
static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen);
/* Create a X509 certificate with the specified servername and serial. This /* Create a X509 certificate with the specified servername and serial. This
* function returns a SSL_CTX object or NULL if an error occurs. */ * function returns a SSL_CTX object or NULL if an error occurs. */
@ -1332,7 +1332,9 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
if (newcrt) X509_free(newcrt); if (newcrt) X509_free(newcrt);
#ifndef OPENSSL_NO_DH
SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_get_tmp_dh); SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_get_tmp_dh);
#endif
#if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH) #if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)
{ {
const char *ecdhe = (bind_conf->ssl_conf.ecdhe ? bind_conf->ssl_conf.ecdhe : ECDHE_DEFAULT_CURVE); const char *ecdhe = (bind_conf->ssl_conf.ecdhe ? bind_conf->ssl_conf.ecdhe : ECDHE_DEFAULT_CURVE);
@ -3107,17 +3109,6 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
struct proxy *curproxy = bind_conf->frontend; struct proxy *curproxy = bind_conf->frontend;
int cfgerr = 0; int cfgerr = 0;
int verify = SSL_VERIFY_NONE; int verify = SSL_VERIFY_NONE;
STACK_OF(SSL_CIPHER) * ciphers = NULL;
const SSL_CIPHER * cipher = NULL;
char cipher_description[128];
/* The description of ciphers using an Ephemeral Diffie Hellman key exchange
contains " Kx=DH " or " Kx=DH(". Beware of " Kx=DH/",
which is not ephemeral DH. */
const char dhe_description[] = " Kx=DH ";
const char dhe_export_description[] = " Kx=DH(";
int idx = 0;
int dhe_found = 0;
SSL *ssl = NULL;
struct ssl_bind_conf *ssl_conf_cur; struct ssl_bind_conf *ssl_conf_cur;
const char *conf_ciphers; const char *conf_ciphers;
const char *conf_curves = NULL; const char *conf_curves = NULL;
@ -3192,6 +3183,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
cfgerr++; cfgerr++;
} }
#ifndef OPENSSL_NO_DH
/* If tune.ssl.default-dh-param has not been set, /* If tune.ssl.default-dh-param has not been set,
neither has ssl-default-dh-file and no static DH neither has ssl-default-dh-file and no static DH
params were in the certificate file. */ params were in the certificate file. */
@ -3199,6 +3191,17 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
global_dh == NULL && global_dh == NULL &&
(ssl_dh_ptr_index == -1 || (ssl_dh_ptr_index == -1 ||
SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) { SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {
STACK_OF(SSL_CIPHER) * ciphers = NULL;
const SSL_CIPHER * cipher = NULL;
char cipher_description[128];
/* The description of ciphers using an Ephemeral Diffie Hellman key exchange
contains " Kx=DH " or " Kx=DH(". Beware of " Kx=DH/",
which is not ephemeral DH. */
const char dhe_description[] = " Kx=DH ";
const char dhe_export_description[] = " Kx=DH(";
int idx = 0;
int dhe_found = 0;
SSL *ssl = NULL;
ssl = SSL_new(ctx); ssl = SSL_new(ctx);
@ -3228,7 +3231,6 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
global_ssl.default_dh_param = 1024; global_ssl.default_dh_param = 1024;
} }
#ifndef OPENSSL_NO_DH
if (global_ssl.default_dh_param >= 1024) { if (global_ssl.default_dh_param >= 1024) {
if (local_dh_1024 == NULL) { if (local_dh_1024 == NULL) {
local_dh_1024 = ssl_get_dh_1024(); local_dh_1024 = ssl_get_dh_1024();