Ignore -named_curve auto value to improve backwards compatibility

Fixes #3490 Reviewed-by: N Rich Salz <rsalz@openssl.org> Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3518)

Ignore -named_curve auto value to improve backwards compatibility
Fixes #3490 Reviewed-by: N Rich Salz <rsalz@openssl.org> Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3518)
1c7aa0db · Tomas Mraz · Matt Caswell · 0b20ad12 · 1c7aa0db · 1c7aa0db
隐藏空白更改
内联并排

Showing with 12 addition and 0 deletion

CHANGES CHANGES +4 -0

ssl/ssl_conf.c ssl/ssl_conf.c +8 -0

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -14,6 +14,10 @@
     than just the call where this user data is passed.
     [Richard Levitte]
+  *) Ignore the '-named_curve auto' value for compatibility of applications
+     with OpenSSL 1.0.2.
+     [Tomas Mraz <tmraz@fedoraproject.org>]
  *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
     bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
     alerts across multiple records (some of which could be empty). In practice

--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -227,6 +227,14 @@ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value)
    EC_KEY *ecdh;
    int nid;
+    /* Ignore values supported by 1.0.2 for the automatic selection */
+    if ((cctx->flags & SSL_CONF_FLAG_FILE) &&
+        strcasecmp(value, "+automatic") == 0)
+        return 1;
+    if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) &&
+        strcmp(value, "auto") == 0)
+        return 1;
    nid = EC_curve_nist2nid(value);
    if (nid == NID_undef)
        nid = OBJ_sn2nid(value);