On 17/12/2025 17:08, Christopher Schultz wrote:
All,
I decided to start looking at some of these. Starting small, I have a
proposed patch:
Sorry. It looks like I found pretty much the same solution while I was
waiting for a test run to complete.
Have a look and see what you think.
Mark
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index caf503be5..99e1e1b34 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -378,7 +378,7 @@ int SSL_password_callback(char *, int, int,
void *);
void SSL_BIO_close(BIO *);
void SSL_BIO_doref(BIO *);
DH *SSL_get_dh_params(unsigned keylen);
-DH *SSL_dh_GetParamFromFile(const char *);
+EVP_PKEY *SSL_dh_GetParamFromFile(const char *);
#ifdef HAVE_ECC
EC_GROUP *SSL_ec_GetParamFromFile(const char *);
#endif
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 1c5d201db..2a399daa9 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -926,7 +926,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
int nid;
EC_KEY *eckey = NULL;
#endif
- DH *dhparams;
+ EVP_PKEY *dhparams;
UNREFERENCED(o);
TCN_ASSERT(ctx != 0);
@@ -1007,9 +1007,9 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
*/
/* XXX Does this also work for pkcs12 or only for PEM files?
* If only for PEM files move above to the PEM handling */
- if ((idx == 0) && (dhparams = SSL_dh_GetParamFromFile(cert_file))) {
- SSL_CTX_set_tmp_dh(c->ctx, dhparams);
- DH_free(dhparams);
+ if ((idx == 0) && (dhparams = SSL_dh_GetParamFromFile(cert_file)) !
= NULL) {
+ SSL_CTX_set0_tmp_dh_pkey(c->ctx, dhparams);
+ /* SSL context owns the dhparams, now */
}
#ifdef HAVE_ECC
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index 1ee51329b..4fdb860c8 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -181,16 +181,18 @@ int SSL_password_callback(char *buf, int bufsiz,
int verify,
** Custom (EC)DH parameter support
** _________________________________________________________________
*/
-DH *SSL_dh_GetParamFromFile(const char *file)
+EVP_PKEY *SSL_dh_GetParamFromFile(const char *file)
{
- DH *dh = NULL;
- BIO *bio;
+ BIO *bio = BIO_new_file(file, "r");
+ EVP_PKEY *pkey = NULL;
- if ((bio = BIO_new_file(file, "r")) == NULL)
+ if (bio == NULL)
return NULL;
- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+
+ pkey = PEM_read_bio_Parameters(bio, NULL);
BIO_free(bio);
- return dh;
+
+ return pkey; /* ownership transferred to caller */
}
#ifdef HAVE_ECC
Would it be more convenient to make a PR out of this?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
