From f9ba3d5c894b9a5f9bda9254c5231236cee663ad Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 13 Mar 2022 11:25:04 +0200
Subject: [PATCH] OpenSSL 3.0: Set SSL groups using SSL_set1_groups()

The mechanism using SSL_set_tmp_ecdh() has been obsoleted and
SSL_set1_groups() takes care of it instead.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/crypto/tls_openssl.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index e16daad26..3eca7b17c 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3059,7 +3059,9 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 			return -1;
 		}
 	} else if (flags & TLS_CONN_SUITEB) {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 		EC_KEY *ecdh;
+#endif
 		const char *ciphers =
 			"ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
 		int nid[1] = { NID_secp384r1 };
@@ -3076,6 +3078,14 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 			return -1;
 		}
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		if (SSL_set1_groups(ssl, nid, 1) != 1) {
+			wpa_printf(MSG_INFO,
+				   "OpenSSL: Failed to set Suite B groups");
+			return -1;
+		}
+
+#else
 		if (SSL_set1_curves(ssl, nid, 1) != 1) {
 			wpa_printf(MSG_INFO,
 				   "OpenSSL: Failed to set Suite B curves");
@@ -3090,6 +3100,7 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 			return -1;
 		}
 		EC_KEY_free(ecdh);
+#endif
 	}
 	if (flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) {
 #ifdef OPENSSL_IS_BORINGSSL