import of OpenSSL 0.9.8h

7 files changed, 205 insertions, 76 deletions

diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h
index 92c7481e10..ccdf35ae1c 100644
--- a/src/lib/libcrypto/dh/dh.h
+++ b/src/lib/libcrypto/dh/dh.h
@@ -59,6 +59,8 @@
 #ifndef HEADER_DH_H
 #define HEADER_DH_H
 
+#include <openssl/e_os2.h>
+
 #ifdef OPENSSL_NO_DH
 #error DH is disabled.
 #endif
@@ -66,10 +68,15 @@
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
-#include <openssl/bn.h>
-#include <openssl/crypto.h>
 #include <openssl/ossl_typ.h>
+#ifndef OPENSSL_NO_DEPRECATED
+#include <openssl/bn.h>
+#endif
         
+#ifndef OPENSSL_DH_MAX_MODULUS_BITS
+# define OPENSSL_DH_MAX_MODULUS_BITS    10000
+#endif
+
 #define DH_FLAG_CACHE_MONT_P     0x01
 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
                                        * implementation now uses constant time
@@ -83,9 +90,12 @@
 extern "C" {
 #endif
 
-typedef struct dh_st DH;
+/* Already defined in ossl_typ.h */
+/* typedef struct dh_st DH; */
+/* typedef struct dh_method DH_METHOD; */
 
-typedef struct dh_method {
+struct dh_method
+        {
         const char *name;
         /* Methods here */
         int (*generate_key)(DH *dh);
@@ -98,7 +108,9 @@ typedef struct dh_method {
         int (*finish)(DH *dh);
         int flags;
         char *app_data;
-} DH_METHOD;
+        /* If this is non-NULL, it will be used to generate parameters */
+        int (*generate_params)(DH *dh, int prime_len, int generator, BN_GENCB *cb);
+        };
 
 struct dh_st
         {
@@ -113,7 +125,7 @@ struct dh_st
         BIGNUM *priv_key;       /* x */
 
         int flags;
-        char *method_mont_p;
+        BN_MONT_CTX *method_mont_p;
         /* Place holders if we want to do X9.42 DH */
         BIGNUM *q;
         BIGNUM *j;
@@ -137,25 +149,21 @@ struct dh_st
 #define DH_UNABLE_TO_CHECK_GENERATOR    0x04
 #define DH_NOT_SUITABLE_GENERATOR       0x08
 
+/* DH_check_pub_key error codes */
+#define DH_CHECK_PUBKEY_TOO_SMALL       0x01
+#define DH_CHECK_PUBKEY_TOO_LARGE       0x02
+
 /* primes p where (p-1)/2 is prime too are called "safe"; we define
    this for backward compatibility: */
 #define DH_CHECK_P_NOT_STRONG_PRIME     DH_CHECK_P_NOT_SAFE_PRIME
 
-#define DHparams_dup(x) (DH *)ASN1_dup((int (*)())i2d_DHparams, \
-                (char *(*)())d2i_DHparams,(char *)(x))
+#define DHparams_dup(x) ASN1_dup_of_const(DH,i2d_DHparams,d2i_DHparams,x)
 #define d2i_DHparams_fp(fp,x) (DH *)ASN1_d2i_fp((char *(*)())DH_new, \
                 (char *(*)())d2i_DHparams,(fp),(unsigned char **)(x))
 #define i2d_DHparams_fp(fp,x) ASN1_i2d_fp(i2d_DHparams,(fp), \
                 (unsigned char *)(x))
-#define d2i_DHparams_bio(bp,x) (DH *)ASN1_d2i_bio((char *(*)())DH_new, \
-                (char *(*)())d2i_DHparams,(bp),(unsigned char **)(x))
-#ifdef  __cplusplus
-#define i2d_DHparams_bio(bp,x) ASN1_i2d_bio((int (*)())i2d_DHparams,(bp), \
-                (unsigned char *)(x))
-#else
-#define i2d_DHparams_bio(bp,x) ASN1_i2d_bio(i2d_DHparams,(bp), \
-                (unsigned char *)(x))
-#endif
+#define d2i_DHparams_bio(bp,x) ASN1_d2i_bio_of(DH,DH_new,d2i_DHparams,bp,x)
+#define i2d_DHparams_bio(bp,x) ASN1_i2d_bio_of_const(DH,i2d_DHparams,bp,x)
 
 const DH_METHOD *DH_OpenSSL(void);
 
@@ -172,9 +180,18 @@ int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int DH_set_ex_data(DH *d, int idx, void *arg);
 void *DH_get_ex_data(DH *d, int idx);
+
+/* Deprecated version */
+#ifndef OPENSSL_NO_DEPRECATED
 DH *    DH_generate_parameters(int prime_len,int generator,
                 void (*callback)(int,int,void *),void *cb_arg);
+#endif /* !defined(OPENSSL_NO_DEPRECATED) */
+
+/* New version */
+int     DH_generate_parameters_ex(DH *dh, int prime_len,int generator, BN_GENCB *cb);
+
 int     DH_check(const DH *dh,int *codes);
+int     DH_check_pub_key(const DH *dh,const BIGNUM *pub_key, int *codes);
 int     DH_generate_key(DH *dh);
 int     DH_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh);
 DH *    d2i_DHparams(DH **a,const unsigned char **pp, long length);
@@ -197,15 +214,18 @@ void ERR_load_DH_strings(void);
 /* Error codes for the DH functions. */
 
 /* Function codes. */
+#define DH_F_COMPUTE_KEY                                 102
 #define DH_F_DHPARAMS_PRINT                              100
 #define DH_F_DHPARAMS_PRINT_FP                           101
-#define DH_F_DH_COMPUTE_KEY                              102
-#define DH_F_DH_GENERATE_KEY                             103
-#define DH_F_DH_GENERATE_PARAMETERS                      104
+#define DH_F_DH_BUILTIN_GENPARAMS                        106
 #define DH_F_DH_NEW_METHOD                               105
+#define DH_F_GENERATE_KEY                                103
+#define DH_F_GENERATE_PARAMETERS                         104
 
 /* Reason codes. */
 #define DH_R_BAD_GENERATOR                               101
+#define DH_R_INVALID_PUBKEY                              102
+#define DH_R_MODULUS_TOO_LARGE                           103
 #define DH_R_NO_PRIVATE_VALUE                            100
 
 #ifdef  __cplusplus
diff --git a/src/lib/libcrypto/dh/dh_check.c b/src/lib/libcrypto/dh/dh_check.c
index a7e9920efb..b846913004 100644
--- a/src/lib/libcrypto/dh/dh_check.c
+++ b/src/lib/libcrypto/dh/dh_check.c
@@ -62,7 +62,7 @@
 #include <openssl/dh.h>
 
 /* Check that p is a safe prime and
- * if g is 2, 3 or 5, check that is is a suitable generator
+ * if g is 2, 3 or 5, check that it is a suitable generator
  * where
  * for 2, p mod 24 == 11
  * for 3, p mod 12 == 5
@@ -70,8 +70,6 @@
  * should hold.
  */
 
-#ifndef OPENSSL_FIPS
-
 int DH_check(const DH *dh, int *ret)
         {
         int ok=0;
@@ -106,12 +104,12 @@ int DH_check(const DH *dh, int *ret)
         else
                 *ret|=DH_UNABLE_TO_CHECK_GENERATOR;
 
-        if (!BN_is_prime(dh->p,BN_prime_checks,NULL,ctx,NULL))
+        if (!BN_is_prime_ex(dh->p,BN_prime_checks,ctx,NULL))
                 *ret|=DH_CHECK_P_NOT_PRIME;
         else
                 {
                 if (!BN_rshift1(q,dh->p)) goto err;
-                if (!BN_is_prime(q,BN_prime_checks,NULL,ctx,NULL))
+                if (!BN_is_prime_ex(q,BN_prime_checks,ctx,NULL))
                         *ret|=DH_CHECK_P_NOT_SAFE_PRIME;
                 }
         ok=1;
@@ -121,4 +119,24 @@ err:
         return(ok);
         }
 
-#endif
+int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+        {
+        int ok=0;
+        BIGNUM *q=NULL;
+
+        *ret=0;
+        q=BN_new();
+        if (q == NULL) goto err;
+        BN_set_word(q,1);
+        if (BN_cmp(pub_key,q) <= 0)
+                *ret|=DH_CHECK_PUBKEY_TOO_SMALL;
+        BN_copy(q,dh->p);
+        BN_sub_word(q,1);
+        if (BN_cmp(pub_key,q) >= 0)
+                *ret|=DH_CHECK_PUBKEY_TOO_LARGE;
+
+        ok = 1;
+err:
+        if (q != NULL) BN_free(q);
+        return(ok);
+        }
diff --git a/src/lib/libcrypto/dh/dh_depr.c b/src/lib/libcrypto/dh/dh_depr.c
new file mode 100644
index 0000000000..acc05f252c
--- /dev/null
+++ b/src/lib/libcrypto/dh/dh_depr.c
@@ -0,0 +1,83 @@
+/* crypto/dh/dh_depr.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+/* This file contains deprecated functions as wrappers to the new ones */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+
+static void *dummy=&dummy;
+
+#ifndef OPENSSL_NO_DEPRECATED
+DH *DH_generate_parameters(int prime_len, int generator,
+             void (*callback)(int,int,void *), void *cb_arg)
+        {
+        BN_GENCB cb;
+        DH *ret=NULL;
+
+        if((ret=DH_new()) == NULL)
+                return NULL;
+
+        BN_GENCB_set_old(&cb, callback, cb_arg);
+
+        if(DH_generate_parameters_ex(ret, prime_len, generator, &cb))
+                return ret;
+        DH_free(ret);
+        return NULL;
+        }
+#endif
diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c
index 83ccb41221..a2d8196ecb 100644
--- a/src/lib/libcrypto/dh/dh_err.c
+++ b/src/lib/libcrypto/dh/dh_err.c
@@ -70,18 +70,21 @@
 
 static ERR_STRING_DATA DH_str_functs[]=
         {
+{ERR_FUNC(DH_F_COMPUTE_KEY),    "COMPUTE_KEY"},
 {ERR_FUNC(DH_F_DHPARAMS_PRINT), "DHparams_print"},
 {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP),      "DHparams_print_fp"},
-{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"},
-{ERR_FUNC(DH_F_DH_GENERATE_KEY),        "DH_generate_key"},
-{ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS), "DH_generate_parameters"},
+{ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS),   "DH_BUILTIN_GENPARAMS"},
 {ERR_FUNC(DH_F_DH_NEW_METHOD),  "DH_new_method"},
+{ERR_FUNC(DH_F_GENERATE_KEY),   "GENERATE_KEY"},
+{ERR_FUNC(DH_F_GENERATE_PARAMETERS),    "GENERATE_PARAMETERS"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA DH_str_reasons[]=
         {
 {ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
+{ERR_REASON(DH_R_INVALID_PUBKEY)         ,"invalid public key"},
+{ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"},
 {ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
 {0,NULL}
         };
@@ -90,15 +93,12 @@ static ERR_STRING_DATA DH_str_reasons[]=
 
 void ERR_load_DH_strings(void)
         {
-        static int init=1;
+#ifndef OPENSSL_NO_ERR
 
-        if (init)
+        if (ERR_func_error_string(DH_str_functs[0].error) == NULL)
                 {
-                init=0;
-#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(0,DH_str_functs);
                 ERR_load_strings(0,DH_str_reasons);
-#endif
-
                 }
+#endif
         }
diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c
index 23777f5a16..cfd5b11868 100644
--- a/src/lib/libcrypto/dh/dh_gen.c
+++ b/src/lib/libcrypto/dh/dh_gen.c
@@ -56,11 +56,25 @@
  * [including the GNU Public Licence.]
  */
 
+/* NB: These functions have been upgraded - the previous prototypes are in
+ * dh_depr.c as wrappers to these ones.
+ *  - Geoff
+ */
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
+static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb);
+
+int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb)
+        {
+        if(ret->meth->generate_params)
+                return ret->meth->generate_params(ret, prime_len, generator, cb);
+        return dh_builtin_genparams(ret, prime_len, generator, cb);
+        }
+
 /* We generate DH parameters as follows
  * find a prime q which is prime_len/2 bits long.
  * p=(2*q)+1 or (p-1)/2 = q
@@ -86,29 +100,26 @@
  * It's just as OK (and in some sense better) to use a generator of the
  * order-q subgroup.
  */
-
-#ifndef OPENSSL_FIPS
-
-DH *DH_generate_parameters(int prime_len, int generator,
-             void (*callback)(int,int,void *), void *cb_arg)
+static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb)
         {
-        BIGNUM *p=NULL,*t1,*t2;
-        DH *ret=NULL;
+        BIGNUM *t1,*t2;
         int g,ok= -1;
         BN_CTX *ctx=NULL;
 
-        ret=DH_new();
-        if (ret == NULL) goto err;
         ctx=BN_CTX_new();
         if (ctx == NULL) goto err;
         BN_CTX_start(ctx);
         t1 = BN_CTX_get(ctx);
         t2 = BN_CTX_get(ctx);
         if (t1 == NULL || t2 == NULL) goto err;
+
+        /* Make sure 'ret' has the necessary elements */
+        if(!ret->p && ((ret->p = BN_new()) == NULL)) goto err;
+        if(!ret->g && ((ret->g = BN_new()) == NULL)) goto err;
         
         if (generator <= 1)
                 {
-                DHerr(DH_F_DH_GENERATE_PARAMETERS, DH_R_BAD_GENERATOR);
+                DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_BAD_GENERATOR);
                 goto err;
                 }
         if (generator == DH_GENERATOR_2)
@@ -144,18 +155,14 @@ DH *DH_generate_parameters(int prime_len, int generator,
                 g=generator;
                 }
         
-        p=BN_generate_prime(NULL,prime_len,1,t1,t2,callback,cb_arg);
-        if (p == NULL) goto err;
-        if (callback != NULL) callback(3,0,cb_arg);
-        ret->p=p;
-        ret->g=BN_new();
-        if (ret->g == NULL) goto err;
+        if(!BN_generate_prime_ex(ret->p,prime_len,1,t1,t2,cb)) goto err;
+        if(!BN_GENCB_call(cb, 3, 0)) goto err;
         if (!BN_set_word(ret->g,g)) goto err;
         ok=1;
 err:
         if (ok == -1)
                 {
-                DHerr(DH_F_DH_GENERATE_PARAMETERS,ERR_R_BN_LIB);
+                DHerr(DH_F_DH_BUILTIN_GENPARAMS,ERR_R_BN_LIB);
                 ok=0;
                 }
 
@@ -164,12 +171,5 @@ err:
                 BN_CTX_end(ctx);
                 BN_CTX_free(ctx);
                 }
-        if (!ok && (ret != NULL))
-                {
-                DH_free(ret);
-                ret=NULL;
-                }
-        return(ret);
+        return ok;
         }
-
-#endif
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 3a39f7c8ca..e7db440342 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -62,8 +62,6 @@
 #include <openssl/rand.h>
 #include <openssl/dh.h>
 
-#ifndef OPENSSL_FIPS
-
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
@@ -91,6 +89,7 @@ dh_bn_mod_exp,
 dh_init,
 dh_finish,
 0,
+NULL,
 NULL
 };
 
@@ -131,8 +130,7 @@ static int generate_key(DH *dh)
 
         if (dh->flags & DH_FLAG_CACHE_MONT_P)
                 {
-                mont = BN_MONT_CTX_set_locked(
-                                (BN_MONT_CTX **)&dh->method_mont_p,
+                mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
                                 CRYPTO_LOCK_DH, dh->p, ctx);
                 if (!mont)
                         goto err;
@@ -152,7 +150,7 @@ static int generate_key(DH *dh)
                         {
                         BN_init(&local_prk);
                         prk = &local_prk;
-                        BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+                        BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
                         }
                 else
                         prk = priv_key;
@@ -165,7 +163,7 @@ static int generate_key(DH *dh)
         ok=1;
 err:
         if (ok != 1)
-                DHerr(DH_F_DH_GENERATE_KEY,ERR_R_BN_LIB);
+                DHerr(DH_F_GENERATE_KEY,ERR_R_BN_LIB);
 
         if ((pub_key != NULL)  && (dh->pub_key == NULL))  BN_free(pub_key);
         if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key);
@@ -175,10 +173,17 @@ err:
 
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         {
-        BN_CTX *ctx;
+        BN_CTX *ctx=NULL;
         BN_MONT_CTX *mont=NULL;
         BIGNUM *tmp;
         int ret= -1;
+        int check_result;
+
+        if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS)
+                {
+                DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
+                goto err;
+                }
 
         ctx = BN_CTX_new();
         if (ctx == NULL) goto err;
@@ -187,27 +192,32 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         
         if (dh->priv_key == NULL)
                 {
-                DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
+                DHerr(DH_F_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
                 goto err;
                 }
 
         if (dh->flags & DH_FLAG_CACHE_MONT_P)
                 {
-                mont = BN_MONT_CTX_set_locked(
-                                (BN_MONT_CTX **)&dh->method_mont_p,
+                mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
                                 CRYPTO_LOCK_DH, dh->p, ctx);
                 if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
                         {
                         /* XXX */
-                        BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME);
+                        BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
                         }
                 if (!mont)
                         goto err;
                 }
 
+        if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result)
+                {
+                DHerr(DH_F_COMPUTE_KEY,DH_R_INVALID_PUBKEY);
+                goto err;
+                }
+
         if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
                 {
-                DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
+                DHerr(DH_F_COMPUTE_KEY,ERR_R_BN_LIB);
                 goto err;
                 }
 
@@ -248,8 +258,6 @@ static int dh_init(DH *dh)
 static int dh_finish(DH *dh)
         {
         if(dh->method_mont_p)
-                BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
+                BN_MONT_CTX_free(dh->method_mont_p);
         return(1);
         }
-
-#endif
diff --git a/src/lib/libcrypto/dh/dh_lib.c b/src/lib/libcrypto/dh/dh_lib.c
index 09965ee2ea..7aef080e7a 100644
--- a/src/lib/libcrypto/dh/dh_lib.c
+++ b/src/lib/libcrypto/dh/dh_lib.c
@@ -64,7 +64,7 @@
 #include <openssl/engine.h>
 #endif
 
-const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
+const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
 
 static const DH_METHOD *default_DH_method = NULL;