From 6570949b2c1d7b94b3795a6b29b73498aca24d5e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 13 Apr 2019 16:53:19 +0300
Subject: [PATCH] OpenSSL: Fix server side openssl_ecdh_curves configuration
 with 1.0.2

It looks like SSL_CTX_set1_curves_list() command alone is not sufficient
to enable ECDH curve selection with older OpenSSL versions for TLS
server, so enable automatic selection first and specify the exact list
of curves after that.

This fixes failures in openssl_ecdh_curves test case when hostapd uses
OpenSSL 1.0.2.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/crypto/tls_openssl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 47e074634..b0c23ae6c 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -5037,6 +5037,9 @@ int tls_global_set_params(void *tls_ctx,
 		return -1;
 #else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
 #ifndef OPENSSL_NO_EC
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+		SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
+#endif
 		if (SSL_CTX_set1_curves_list(ssl_ctx,
 					     params->openssl_ecdh_curves) !=
 		    1) {