This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch curve-name in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit 4bf2cdb5bccbd2c82eba2c5755cbdc1ef127e030 Author: Mark Thomas <[email protected]> AuthorDate: Thu Jan 8 17:29:45 2026 +0000 Refactor ECDH curve name extraction to avoid deprecated methods --- native/include/ssl_private.h | 3 ++- native/src/sslcontext.c | 14 ++++---------- native/src/sslutils.c | 35 ++++++++++++++++++++++++++++++----- xdocs/miscellaneous/changelog.xml | 4 ++++ 4 files changed, 40 insertions(+), 16 deletions(-) diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h index 7349c6f59..132866c1d 100644 --- a/native/include/ssl_private.h +++ b/native/include/ssl_private.h @@ -49,6 +49,7 @@ #ifndef LIBRESSL_VERSION_NUMBER #include <openssl/provider.h> #endif +#include <openssl/core_names.h> #ifndef RAND_MAX #include <limits.h> @@ -378,7 +379,7 @@ void SSL_BIO_doref(BIO *); DH *SSL_get_dh_params(unsigned keylen); EVP_PKEY *SSL_dh_GetParamFromFile(const char *); #ifdef HAVE_ECC -EC_GROUP *SSL_ec_GetParamFromFile(const char *); +int SSL_ec_GetParamFromFile(const char *); #endif DH *SSL_callback_tmp_DH(SSL *, int, int); void SSL_callback_handshake(const SSL *, int, int); diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c index 87c3312b8..ce5177937 100644 --- a/native/src/sslcontext.c +++ b/native/src/sslcontext.c @@ -946,9 +946,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx, const char *p; char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; #ifdef HAVE_ECC - EC_GROUP *ecparams = NULL; int nid; - EC_KEY *eckey = NULL; #endif EVP_PKEY *evp; @@ -1036,14 +1034,10 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx, */ /* XXX Does this also work for pkcs12 or only for PEM files? * If only for PEM files move above to the PEM handling */ - if ((ecparams = SSL_ec_GetParamFromFile(cert_file)) && - (nid = EC_GROUP_get_curve_name(ecparams)) && - (eckey = EC_KEY_new_by_curve_name(nid))) { - SSL_CTX_set_tmp_ecdh(c->ctx, eckey); - } - /* OpenSSL assures us that _free() is NULL-safe */ - EC_KEY_free(eckey); - EC_GROUP_free(ecparams); + nid = SSL_ec_GetParamFromFile(cert_file); + if (nid != NID_undef) { + SSL_CTX_set1_groups(c->ctx, &nid, 1); + } #endif SSL_CTX_set_dh_auto(c->ctx, 1); diff --git a/native/src/sslutils.c b/native/src/sslutils.c index dac911f88..9d6803e18 100644 --- a/native/src/sslutils.c +++ b/native/src/sslutils.c @@ -198,16 +198,41 @@ EVP_PKEY *SSL_dh_GetParamFromFile(const char *file) } #ifdef HAVE_ECC -EC_GROUP *SSL_ec_GetParamFromFile(const char *file) +int SSL_ec_GetParamFromFile(const char *file) { - EC_GROUP *group = NULL; + EVP_PKEY *evp = NULL; BIO *bio; + char curve_name[80]; if ((bio = BIO_new_file(file, "r")) == NULL) - return NULL; - group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); + return NID_undef; + evp = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL); BIO_free(bio); - return (group); + if (!EVP_PKEY_is_a(evp, "EC")) { + EVP_PKEY_free(evp); + return NID_undef; + } + + OSSL_PARAM param[] = { + OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, curve_name, sizeof(curve_name)), + OSSL_PARAM_construct_end() + }; + + /* Query the curve name from the EVP_PKEY params object */ + if (EVP_PKEY_get_params(evp, param) <= 0) { + EVP_PKEY_free(evp); + return NID_undef; /* Failed to retrieve the curve name */ + } + + /* Convert the curve name to the NID */ + int nid = OBJ_sn2nid(curve_name); + if (nid == NID_undef) { + /* If the short name didn't resolve, try the long name */ + nid = OBJ_ln2nid(curve_name); + } + + EVP_PKEY_free(evp); + return nid; /* Returns the curve's NID, or NID_undef on failure */ } #endif diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml index 5698d65f7..d59127bfa 100644 --- a/xdocs/miscellaneous/changelog.xml +++ b/xdocs/miscellaneous/changelog.xml @@ -37,6 +37,10 @@ Remove group write permissions from the files in the tar.gz source archive. (markt) </fix> + <fix> + Refcator extraction of ECDH curve name from the Certificate to avoid + deprecated OpenSSL methods. (markt) + </fix> </changelog> </section> <section name="Changes in 2.0.12"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
