From: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
Date: Tue, 13 May 2025 04:10:42 +0000 (-0400)
Subject: Use SSL_CTX_set1_groups_list without checking
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=010cbb535330643f12b68f0bea40f17b0c8c87ca;p=thirdparty%2Ftor.git

Use SSL_CTX_set1_groups_list without checking

It is supported in OpenSSL 1.1.1+ and LibreSSL.
---

diff --git a/configure.ac b/configure.ac
index d4ddda1c35..b279f3d35f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1124,7 +1124,6 @@ dnl confusing with LibreSSL, OpenSSL, and various distributions' patches
 dnl to them.
 AC_CHECK_FUNCS([ \
 		EVP_PBE_scrypt \
-		SSL_CTX_set1_groups_list \
 		SSL_CTX_set_security_level
 	       ])
 
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
index 6452a03fba..fa57b736fd 100644
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@ -533,9 +533,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
     SSL_CTX_set_tmp_dh(result->ctx, dh);
     DH_free(dh);
   }
-/* We check for this function in two ways, since it might be either a symbol
- * or a macro. */
-#if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
+
   {
     // We'd like to say something like:
     //    "?X25519MLKEM768:P-256:P-224"
@@ -591,17 +589,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
                "Using library defaults");
     }
   }
-#else /* !(defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SE...)) */
-  if (! is_client) {
-    int nid;
-    EC_KEY *ec_key;
-    nid = NID_tor_default_ecdhe_group;
-    ec_key = EC_KEY_new_by_curve_name(nid);
-    if (ec_key != NULL) /*XXXX Handle errors? */
-      SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
-    EC_KEY_free(ec_key);
-  }
-#endif /* defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1...) */
 
   if (is_client) {
     SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,