commit 010cbb535330643f12b68f0bea40f17b0c8c87ca
parent 58248adab617eb240d6d8accd7620a1cabc1a1ff
Author: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
Date: Tue, 13 May 2025 00:10:42 -0400
Use SSL_CTX_set1_groups_list without checking
It is supported in OpenSSL 1.1.1+ and LibreSSL.
Diffstat:
2 files changed, 1 insertion(+), 15 deletions(-)
diff --git a/configure.ac b/configure.ac
@@ -1124,7 +1124,6 @@ dnl confusing with LibreSSL, OpenSSL, and various distributions' patches
dnl to them.
AC_CHECK_FUNCS([ \
EVP_PBE_scrypt \
- SSL_CTX_set1_groups_list \
SSL_CTX_set_security_level
])
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
@@ -533,9 +533,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_tmp_dh(result->ctx, dh);
DH_free(dh);
}
-/* We check for this function in two ways, since it might be either a symbol
- * or a macro. */
-#if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
+
{
// We'd like to say something like:
// "?X25519MLKEM768:P-256:P-224"
@@ -591,17 +589,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
"Using library defaults");
}
}
-#else /* !(defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SE...)) */
- if (! is_client) {
- int nid;
- EC_KEY *ec_key;
- nid = NID_tor_default_ecdhe_group;
- ec_key = EC_KEY_new_by_curve_name(nid);
- if (ec_key != NULL) /*XXXX Handle errors? */
- SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
- EC_KEY_free(ec_key);
- }
-#endif /* defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1...) */
if (is_client) {
SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
