[PATCH] SSL: DH was made opaque in OpenSSL 1.1.0

Alessandro Ghedini alessandro at cloudflare.com
Wed May 11 12:24:44 UTC 2016


# HG changeset patch
# User Alessandro Ghedini <alessandro at cloudflare.com>
# Date 1462967148 -3600
#      Wed May 11 12:45:48 2016 +0100
# Node ID f3413937fddaaca954090e26cf92b49fdf2f9722
# Parent  2f98b5709d7965e7c97cb74b8380014179c7bf0d
SSL: DH was made opaque in OpenSSL 1.1.0

DH_set0_pqg() was introduced to initialize the DH parameters.

diff -r 2f98b5709d79 -r f3413937fdda src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Thu Apr 28 16:30:19 2016 +0300
+++ b/src/event/ngx_event_openssl.c	Wed May 11 12:45:48 2016 +0100
@@ -915,8 +915,9 @@ ngx_ssl_passwords_cleanup(void *data)
 ngx_int_t
 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
 {
-    DH   *dh;
-    BIO  *bio;
+    DH      *dh;
+    BIO     *bio;
+    BIGNUM  *p, *g;
 
     /*
      * -----BEGIN DH PARAMETERS-----
@@ -951,15 +952,24 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_
             return NGX_ERROR;
         }
 
-        dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
-        dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
-
-        if (dh->p == NULL || dh->g == NULL) {
+        p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+        g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+
+        if (p == NULL || g == NULL) {
             ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
+            BN_free(p);
+            BN_free(g);
             DH_free(dh);
             return NGX_ERROR;
         }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+        DH_set0_pqg(dh, p, NULL, g);
+#else
+        dh->p = p;
+        dh->g = g;
+#endif
+
         SSL_CTX_set_tmp_dh(ssl->ctx, dh);
 
         DH_free(dh);



More information about the nginx-devel mailing list