tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit cc9a9b1bdd100e074e4df07f12269f3191ebb3d2
parent 650fabc6ad7e471d18f1e10563149893131cc69d
Author: Nick Mathewson <nickm@torproject.org>
Date:   Wed, 23 Apr 2025 08:38:05 -0400

Remove TOR_TLS_USE_ECDHE_P* flags.

They have been unused since 0.3.1.1-alpha, when we removed the
TLSECGroups option.

Diffstat:

Msrc/lib/tls/tortls.c | 5++---


Msrc/lib/tls/tortls.h | 2--


Msrc/lib/tls/tortls_openssl.c | 15++-------------


3 files changed, 4 insertions(+), 18 deletions(-)

diff --git a/src/lib/tls/tortls.c b/src/lib/tls/tortls.c
@@ -175,9 +175,8 @@ tor_tls_err_to_string(int err)
  * If <b>server_identity</b> is NULL, this will not generate a server
  * TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in <b>flags</b>, use
  * the same TLS context for incoming and outgoing connections, and
- * ignore <b>client_identity</b>. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256}
- * is set in <b>flags</b>, use that ECDHE group if possible; otherwise use
- * the default ECDHE group. */
+ * ignore <b>client_identity</b>.
+ */
 int
 tor_tls_context_init(unsigned flags,
                      crypto_pk_t *client_identity,
diff --git a/src/lib/tls/tortls.h b/src/lib/tls/tortls.h
@@ -75,8 +75,6 @@ void tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz);
 void tor_tls_free_all(void);
 
 #define TOR_TLS_CTX_IS_PUBLIC_SERVER (1u<<0)
-#define TOR_TLS_CTX_USE_ECDHE_P256   (1u<<1)
-#define TOR_TLS_CTX_USE_ECDHE_P224   (1u<<2)
 
 void tor_tls_init(void);
 void tls_log_errors(tor_tls_t *tls, int severity, int domain,
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
@@ -671,12 +671,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
 #if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
   {
     const char *list;
-    if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
-      list = "P-224:P-256";
-    else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
-      list = "P-256:P-224";
-    else
-      list = "P-256:P-224";
+    list = "P-256:P-224";
     int r = (int) SSL_CTX_set1_groups_list(result->ctx, list);
     if (r < 0)
       goto error;
@@ -685,13 +680,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
   if (! is_client) {
     int nid;
     EC_KEY *ec_key;
-    if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
-      nid = NID_secp224r1;
-    else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
-      nid = NID_X9_62_prime256v1;
-    else
-      nid = NID_tor_default_ecdhe_group;
-    /* Use P-256 for ECDHE. */
+    nid = NID_tor_default_ecdhe_group;
     ec_key = EC_KEY_new_by_curve_name(nid);
     if (ec_key != NULL) /*XXXX Handle errors? */
       SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);