Use OpenSSL 3.x+ API for setting tls groups

This also aligns behaviour of OpenVPN 2.x and 3.x to not ignore
unknown groups but reject tls-groups in its entirety.

Signed-off-by: Arne Schwabe <arne@openvpn.net>

Author: schwabe

openvpn/openssl/ssl/sslctx.hpp

@@ -1615,6 +1615,7 @@ class OpenSSLContext : public SSLFactoryAPI
 
     void set_openssl_tls_groups(const std::string &tls_groups)
     {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
         auto num_groups = std::count(tls_groups.begin(), tls_groups.end(), ':') + 1;
 
         std::unique_ptr<int[]> glist(new int[num_groups]);
@@ -1648,6 +1649,10 @@ class OpenSSLContext : public SSLFactoryAPI
 
         if (!SSL_CTX_set1_groups(ctx.get(), glist.get(), glistlen))
             OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set1_groups failed");
+#else
+        if (!SSL_CTX_set1_groups_list(ctx.get(), tls_groups.c_str()))
+            OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set1_groups_list failed");
+#endif
     }
 
     // remote-cert-ku verification

test/unittests/test_ssl.cpp

@@ -86,14 +86,22 @@ TEST(Ssl, TlsGroups)
     sslcfg->set_tls_groups("secp521r1:secp384r1:greenhell");
 
     testLog->startCollecting();
+#if defined(USE_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+    OVPN_EXPECT_THROW(
+        f = sslcfg->new_factory(),
+        openvpn::SSLFactoryAPI::ssl_context_error,
+        "OpenSSLContext: SSL_CTX_set1_groups_list failed");
+#else
     f = sslcfg->new_factory();
     f->set_log_level(logging::LOG_LEVEL_INFO);
     f->ssl();
+
 #ifdef USE_OPENSSL
     EXPECT_EQ("OpenSSL -- warning ignoring unknown group 'greenhell' in tls-groups\n", testLog->stopCollecting());
 #else
     EXPECT_EQ("mbed TLS -- warning ignoring unknown group 'greenhell' in tls-groups\n", testLog->stopCollecting());
 #endif
+#endif
 }
 
 #ifdef USE_OPENSSL