Fix deprecation warning for ECDH config with OpenSSL 3.x

2024-10-31 21:20:21 +00:00 · 2024-09-28 00:05:04 +03:00 · 2024-09-28 00:05:04 +03:00 · a45b5d6b41
commit a45b5d6b41
parent f009df6615
4 changed files with 29 additions and 20 deletions
--- a/src/opts.c
+++ b/src/opts.c
@ -1622,14 +1622,12 @@ opts_set_dh(conn_opts_t *conn_opts, const char *argv0, const char *optarg, tmp_o
 int
 opts_set_ecdhcurve(conn_opts_t *conn_opts, const char *argv0, const char *optarg)
 {
-	EC_KEY *ec;
 	if (conn_opts->ecdhcurve)
 		free(conn_opts->ecdhcurve);
-	if (!(ec = ssl_ec_by_name(optarg))) {
+	if (ssl_ec_nid_by_name(optarg) == NID_undef) {
 		fprintf(stderr, "%s: unknown curve '%s'\n", argv0, optarg);
 		return -1;
 	}
-	EC_KEY_free(ec);
 	conn_opts->ecdhcurve = strdup(optarg);
 	if (!conn_opts->ecdhcurve)
 		return oom_return(argv0);
--- a/src/protossl.c
+++ b/src/protossl.c
@ -403,14 +403,30 @@ protossl_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain,
 	}
 #endif /* !OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_ECDH
-	if (ctx->conn_opts->ecdhcurve) {
-		EC_KEY *ecdh = ssl_ec_by_name(ctx->conn_opts->ecdhcurve);
-		SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
-		EC_KEY_free(ecdh);
-	} else {
-		EC_KEY *ecdh = ssl_ec_by_name(NULL);
-		SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
-		EC_KEY_free(ecdh);
+	int nid = ssl_ec_nid_by_name(ctx->conn_opts->ecdhcurve);
+	if (nid != NID_undef) {
+		int rv = 0;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || defined(LIBRESSL_VERSION_NUMBER)
+		EC_KEY *ecdh = EC_KEY_new_by_curve_name(nid);
+		if (ecdh) {
+			rv = SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
+			EC_KEY_free(ecdh);
+		}
+		else {
+			log_dbg_printf("failed setting ecdh curve: %ld\n", ERR_get_error());
+			return NULL;
+		}
+#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+		rv = SSL_CTX_set1_groups(sslctx, &nid, 1);
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+		if (!rv) {
+			log_dbg_printf("failed setting ecdh curve: %ld\n", ERR_get_error());
+			return NULL;
+		}
+	}
+	else {
+		log_dbg_printf("failed setting ecdh curve, unknown nid: %d\n", nid);
+		return NULL;
 	}
 #endif /* !OPENSSL_NO_ECDH */
 	if (SSL_CTX_use_certificate(sslctx, crt) != 1) {
--- a/src/ssl.c
+++ b/src/ssl.c
@ -811,18 +811,13 @@ ssl_dh_load(const char *filename)
 * Load an Elliptic Curve by name.  If curvename is NULL, a default curve is
 * loaded.
 */
-EC_KEY *
-ssl_ec_by_name(const char *curvename)
+int
+ssl_ec_nid_by_name(const char *curvename)
 {
-	int nid;
-
 	if (!curvename)
 		curvename = DFLT_CURVE;

-	if ((nid = OBJ_sn2nid(curvename)) == NID_undef) {
-		return NULL;
-	}
-	return EC_KEY_new_by_curve_name(nid);
+	return OBJ_sn2nid(curvename);
 }
 #endif /* !OPENSSL_NO_EC */

--- a/src/ssl.h
+++ b/src/ssl.h
@ -227,7 +227,7 @@ void ssl_dh_refcount_inc(DH *) NONNULL(1);
 #endif /* !OPENSSL_NO_DH */

 #ifndef OPENSSL_NO_EC
-EC_KEY * ssl_ec_by_name(const char *) MALLOC;
+int ssl_ec_nid_by_name(const char *);
 #endif /* !OPENSSL_NO_EC */

 EVP_PKEY * ssl_key_load(const char *) NONNULL(1) MALLOC;