[Openvpn-devel,5/8,OSSL,3.0] Use EVP_PKEY based API for loading DH keys

Message ID 20210919162956.695496-5-arne@rfc2549.org
State Superseded
Headers show
Series [Openvpn-devel,1/8,OSSL,3.0] Use new EVP_MAC API for HMAC implementation | expand

Commit Message

Arne Schwabe Sept. 19, 2021, 6:29 a.m. UTC
OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to
load DH parameters.
---
 src/openvpn/ssl_openssl.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

Patch

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 241206fb2..d8ac25fbc 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -645,7 +645,6 @@  void
 tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
                        bool dh_file_inline)
 {
-    DH *dh;
     BIO *bio;
 
     ASSERT(NULL != ctx);
@@ -666,7 +665,26 @@  tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
         }
     }
 
-    dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL);
+    BIO_free(bio);
+
+    if (!dh)
+    {
+        crypto_msg(M_FATAL, "Cannot load DH parameters from %s",
+                   print_key_filename(dh_file, dh_file_inline));
+    }
+    if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh))
+    {
+        crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh");
+    }
+
+    msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
+        8 * EVP_PKEY_get_size(dh));
+
+    EVP_PKEY_free(dh);
+#else
+    DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
     BIO_free(bio);
 
     if (!dh)
@@ -683,6 +701,7 @@  tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
         8 * DH_size(dh));
 
     DH_free(dh);
+#endif
 }
 
 void