OpenSSL 3.0: Set SSL groups using SSL_set1_groups()

The mechanism using SSL_set_tmp_ecdh() has been obsoleted and
SSL_set1_groups() takes care of it instead.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index e16daad26a354e393846ced5eae1e1bec267bf61..3eca7b17cbfe642870b51c9bcf35bda6d458933e 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3059,7 +3059,9 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
                        return -1;
                }
        } else if (flags & TLS_CONN_SUITEB) {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
                EC_KEY *ecdh;
+#endif
                const char *ciphers =
                        "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
                int nid[1] = { NID_secp384r1 };
@@ -3076,6 +3078,14 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
                        return -1;
                }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+               if (SSL_set1_groups(ssl, nid, 1) != 1) {
+                       wpa_printf(MSG_INFO,
+                                  "OpenSSL: Failed to set Suite B groups");
+                       return -1;
+               }
+
+#else
                if (SSL_set1_curves(ssl, nid, 1) != 1) {
                        wpa_printf(MSG_INFO,
                                   "OpenSSL: Failed to set Suite B curves");
@@ -3090,6 +3100,7 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
                        return -1;
                }
                EC_KEY_free(ecdh);
+#endif
        }
        if (flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) {
 #ifdef OPENSSL_IS_BORINGSSL