- Fix detection of SSL_CTX_set_tmp_ecdh function.

diff --git a/config.h.in b/config.h.in
index b166f6f23e86a91e9d641fa35cac55b44f408034..10222cd123e5890b4d672ea30bf11f1655c721bf 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -173,6 +173,10 @@
    0 if you don't. */
 #undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
 
+/* Define to 1 if you have the declaration of `SSL_CTX_set_tmp_ecdh', and to 0
+   if you don't. */
+#undef HAVE_DECL_SSL_CTX_SET_TMP_ECDH
+
 /* Define to 1 if you have the declaration of `strlcat', and to 0 if you
    don't. */
 #undef HAVE_DECL_STRLCAT
@@ -651,9 +655,6 @@
    function. */
 #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
 
-/* Define to 1 if you have the `SSL_CTX_set_tmp_ecdh' function. */
-#undef HAVE_SSL_CTX_SET_TMP_ECDH
-
 /* Define to 1 if you have the `SSL_get0_alpn_selected' function. */
 #undef HAVE_SSL_GET0_ALPN_SELECTED
 

diff --git a/configure b/configure
index 4c9be7ba7c254cf5fa7df481bbe247f74710b27a..bc1a15ffb1665888ba2c4938af7fc08dc2e638ee 100755 (executable)
--- a/configure
+++ b/configure
@@ -20819,12 +20819,6 @@ then :
   printf "%s\n" "#define HAVE_BIO_SET_CALLBACK_EX 1" >>confdefs.h
 
 fi
-ac_fn_c_check_func "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_func_SSL_CTX_set_tmp_ecdh"
-if test "x$ac_cv_func_SSL_CTX_set_tmp_ecdh" = xyes
-then :
-  printf "%s\n" "#define HAVE_SSL_CTX_SET_TMP_ECDH 1" >>confdefs.h
-
-fi
 
 
 # these check_funcs need -lssl
@@ -20983,6 +20977,34 @@ else $as_nop
   ac_have_decl=0
 fi
 printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl" >>confdefs.h
+ac_fn_check_decl "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" "
+$ac_includes_default
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+
+#ifdef HAVE_OPENSSL_RAND_H
+#include <openssl/rand.h>
+#endif
+
+#ifdef HAVE_OPENSSL_CONF_H
+#include <openssl/conf.h>
+#endif
+
+#ifdef HAVE_OPENSSL_ENGINE_H
+#include <openssl/engine.h>
+#endif
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" = xyes
+then :
+  ac_have_decl=1
+else $as_nop
+  ac_have_decl=0
+fi
+printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_TMP_ECDH $ac_have_decl" >>confdefs.h
 
 
 if test "$ac_cv_func_HMAC_Init_ex" = "yes"; then

diff --git a/configure.ac b/configure.ac
index ff50e1e27f4a7f9e2377a887680b838fea620f53..15e446d60e446b0d02d68cd311c93bf2249cd2ae 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -996,7 +996,7 @@ else
        AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex SSL_CTX_set_tmp_ecdh])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
 
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
@@ -1004,7 +1004,7 @@ LIBS="-lssl $LIBS"
 AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate])
 LIBS="$BAKLIBS"
 
-AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
+AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>

diff --git a/doc/Changelog b/doc/Changelog
index 5729d46068c850b60785b4b34f4d5e6a49da42af..6977c9bd4bc023a32313a99e7e1ab01dee714253 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+11 July 2025: Wouter
+       - Fix detection of SSL_CTX_set_tmp_ecdh function.
+
 8 July 2025: Wouter
        - Fix to improve dnstap discovery on Fedora.
 

diff --git a/testcode/petal.c b/testcode/petal.c
index 6d825f1e0ca472862804084f4350330955c28244..627c77d575290e341e37af595476bb75eb281314 100644 (file)
--- a/testcode/petal.c
+++ b/testcode/petal.c
@@ -256,7 +256,7 @@ setup_ctx(char* key, char* cert)
 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
        if (!SSL_CTX_set_ecdh_auto(ctx,1))
                if(verb>=1) printf("failed to set_ecdh_auto, not enabling ECDHE\n");
-#elif defined(USE_ECDSA) && defined(HAVE_SSL_CTX_SET_TMP_ECDH)
+#elif defined(USE_ECDSA) && HAVE_DECL_SSL_CTX_SET_TMP_ECDH
        if(1) {
                EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
                if (!ecdh) {

diff --git a/util/net_help.c b/util/net_help.c
index 19e42642e20ea87d92900fa4b4e2d00cb9c771e5..a147c511d8f3b6728c0e3ecd465b4d2bd52944b0 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1312,7 +1312,7 @@ listen_sslctx_setup_2(void* ctxt)
        if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
                log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
        }
-#elif defined(USE_ECDSA) && defined(HAVE_SSL_CTX_SET_TMP_ECDH)
+#elif defined(USE_ECDSA) && HAVE_DECL_SSL_CTX_SET_TMP_ECDH
        if(1) {
                EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
                if (!ecdh) {