From a0346d8054d3b19a7e30b5de70048c001d8c2c26 Mon Sep 17 00:00:00 2001
From: daurnimator <quae@daurnimator.com>
Date: Mon, 3 Apr 2017 12:54:23 +1000
Subject: openssl.ssl.context.new: Turn on ecdh_auto in OpenSSL 1.0.2

It's on by default in 1.1.0, and supported in < 1.0.2.
Suggestion taken from ruby openssl implementation: https://github.com/ruby/openssl/blob/a7bbd590c66d40bd662502df9c65474e85b5f03f/ext/openssl/ossl_ssl.c#L135
---
 src/openssl.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src')

diff --git a/src/openssl.c b/src/openssl.c
index d679d92..652e38a 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -258,6 +258,10 @@
 #define HAVE_SSL_CTX_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
 #endif
 
+#ifndef HAVE_SSL_CTX_SET_ECDH_AUTO
+#define HAVE_SSL_CTX_SET_ECDH_AUTO ((OPENSSL_PREREQ(1,0,2) && !OPENSSL_PREREQ(1,1,0)) || LIBRESSL_PREREQ(2,1,2))
+#endif
+
 #ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS
 #define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,3))
 #endif
@@ -7575,6 +7579,15 @@ static int sx_new(lua_State *L) {
 
 	SSL_CTX_set_options(*ud, options);
 
+#if HAVE_SSL_CTX_SET_ECDH_AUTO
+	/* OpenSSL 1.0.2 introduced SSL_CTX_set_ecdh_auto to automatically select
+	 * from the curves set via SSL_CTX_set1_curves_list. However as of OpenSSL
+	 * 1.1.0, the functionality was turned on permanently and the option
+	 * removed. */
+	if (!SSL_CTX_set_ecdh_auto(*ud, 1))
+		return auxL_error(L, auxL_EOPENSSL, "ssl.context.new");
+#endif
+
 	return 1;
 } /* sx_new() */
 
-- 
cgit v1.2.3-55-g6feb