From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 23 Apr 2025 12:38:05 +0000 (-0400)
Subject: Remove TOR_TLS_USE_ECDHE_P* flags.
X-Git-Tag: tor-0.4.8.17~11^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc9a9b1bdd100e074e4df07f12269f3191ebb3d2;p=thirdparty%2Ftor.git

Remove TOR_TLS_USE_ECDHE_P* flags.

They have been unused since 0.3.1.1-alpha, when we removed the
TLSECGroups option.
---

diff --git a/src/lib/tls/tortls.c b/src/lib/tls/tortls.c
index 80f16e1c74..b8a1205e0f 100644
--- a/src/lib/tls/tortls.c
+++ b/src/lib/tls/tortls.c
@@ -175,9 +175,8 @@ tor_tls_err_to_string(int err)
  * If <b>server_identity</b> is NULL, this will not generate a server
  * TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in <b>flags</b>, use
  * the same TLS context for incoming and outgoing connections, and
- * ignore <b>client_identity</b>. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256}
- * is set in <b>flags</b>, use that ECDHE group if possible; otherwise use
- * the default ECDHE group. */
+ * ignore <b>client_identity</b>.
+ */
 int
 tor_tls_context_init(unsigned flags,
                      crypto_pk_t *client_identity,
diff --git a/src/lib/tls/tortls.h b/src/lib/tls/tortls.h
index 96f93e2679..5d0f49ac0b 100644
--- a/src/lib/tls/tortls.h
+++ b/src/lib/tls/tortls.h
@@ -75,8 +75,6 @@ void tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz);
 void tor_tls_free_all(void);
 
 #define TOR_TLS_CTX_IS_PUBLIC_SERVER (1u<<0)
-#define TOR_TLS_CTX_USE_ECDHE_P256   (1u<<1)
-#define TOR_TLS_CTX_USE_ECDHE_P224   (1u<<2)
 
 void tor_tls_init(void);
 void tls_log_errors(tor_tls_t *tls, int severity, int domain,
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
index ee91715e2d..9bd0b72b96 100644
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@ -671,12 +671,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
 #if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
   {
     const char *list;
-    if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
-      list = "P-224:P-256";
-    else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
-      list = "P-256:P-224";
-    else
-      list = "P-256:P-224";
+    list = "P-256:P-224";
     int r = (int) SSL_CTX_set1_groups_list(result->ctx, list);
     if (r < 0)
       goto error;
@@ -685,13 +680,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
   if (! is_client) {
     int nid;
     EC_KEY *ec_key;
-    if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
-      nid = NID_secp224r1;
-    else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
-      nid = NID_X9_62_prime256v1;
-    else
-      nid = NID_tor_default_ecdhe_group;
-    /* Use P-256 for ECDHE. */
+    nid = NID_tor_default_ecdhe_group;
     ec_key = EC_KEY_new_by_curve_name(nid);
     if (ec_key != NULL) /*XXXX Handle errors? */
       SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);