Use SSL_CTX_set1_groups_list without checking

It is supported in OpenSSL 1.1.1+ and LibreSSL.

diff --git a/configure.ac b/configure.ac
index d4ddda1c354a882a878c3df58e1064227fba8a69..b279f3d35f41b675e0b4009685162ea5a2308b28 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1124,7 +1124,6 @@ dnl confusing with LibreSSL, OpenSSL, and various distributions' patches
 dnl to them.
 AC_CHECK_FUNCS([ \
                EVP_PBE_scrypt \
-               SSL_CTX_set1_groups_list \
                SSL_CTX_set_security_level
               ])
 

diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
index 6452a03fbab9bcec182fcac71d01c5794cbdb2a3..fa57b736fd2a1648ebab14776f02ea9225f5c88e 100644 (file)
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@ -533,9 +533,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
     SSL_CTX_set_tmp_dh(result->ctx, dh);
     DH_free(dh);
   }
-/* We check for this function in two ways, since it might be either a symbol
- * or a macro. */
-#if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
+
   {
     // We'd like to say something like:
     //    "?X25519MLKEM768:P-256:P-224"
@@ -591,17 +589,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
                "Using library defaults");
     }
   }
-#else /* !(defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SE...)) */
-  if (! is_client) {
-    int nid;
-    EC_KEY *ec_key;
-    nid = NID_tor_default_ecdhe_group;
-    ec_key = EC_KEY_new_by_curve_name(nid);
-    if (ec_key != NULL) /*XXXX Handle errors? */
-      SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
-    EC_KEY_free(ec_key);
-  }
-#endif /* defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1...) */
 
   if (is_client) {
     SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,