From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 22 May 2017 14:20:21 +0000 (+0200)
Subject: Ignore -named_curve auto value to improve backwards compatibility
X-Git-Tag: OpenSSL_1_1_1-pre1~1351
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=1c7aa0dbf16c3389bbedd13391bb653e7a189603;p=oweals%2Fopenssl.git

Ignore -named_curve auto value to improve backwards compatibility

Fixes #3490

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3518)
---

diff --git a/CHANGES b/CHANGES
index 0e8d9225db..97bfa55484 100644
--- a/CHANGES
+++ b/CHANGES
@@ -14,6 +14,10 @@
      than just the call where this user data is passed.
      [Richard Levitte]
 
+  *) Ignore the '-named_curve auto' value for compatibility of applications
+     with OpenSSL 1.0.2.
+     [Tomas Mraz <tmraz@fedoraproject.org>]
+
   *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
      bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
      alerts across multiple records (some of which could be empty). In practice
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 41c7ff7d83..ab0a94ddd7 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -227,6 +227,14 @@ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value)
     EC_KEY *ecdh;
     int nid;
 
+    /* Ignore values supported by 1.0.2 for the automatic selection */
+    if ((cctx->flags & SSL_CONF_FLAG_FILE) &&
+        strcasecmp(value, "+automatic") == 0)
+        return 1;
+    if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) &&
+        strcmp(value, "auto") == 0)
+        return 1;
+
     nid = EC_curve_nist2nid(value);
     if (nid == NID_undef)
         nid = OBJ_sn2nid(value);