Re: (tomcat-native) 01/01: Refactor ECDH curve name extraction to avoid deprecated methods

[Mark Thomas]

On 08/01/2026 17:30, ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch curve-name
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git

commit 4bf2cdb5bccbd2c82eba2c5755cbdc1ef127e030
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 8 17:29:45 2026 +0000

     Refactor ECDH curve name extraction to avoid deprecated methods

Reviews via https://github.com/apache/tomcat-native/pull/34 would be 
appreciated for this one.

Mark


---
  native/include/ssl_private.h      |  3 ++-
  native/src/sslcontext.c           | 14 ++++----------
  native/src/sslutils.c             | 35 ++++++++++++++++++++++++++++++-----
  xdocs/miscellaneous/changelog.xml |  4 ++++
  4 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 7349c6f59..132866c1d 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -49,6 +49,7 @@
  #ifndef LIBRESSL_VERSION_NUMBER
  #include <openssl/provider.h>
  #endif
+#include <openssl/core_names.h>
  
  #ifndef RAND_MAX
  #include <limits.h>
@@ -378,7 +379,7 @@ void        SSL_BIO_doref(BIO *);
  DH         *SSL_get_dh_params(unsigned keylen);
  EVP_PKEY   *SSL_dh_GetParamFromFile(const char *);
  #ifdef HAVE_ECC
-EC_GROUP   *SSL_ec_GetParamFromFile(const char *);
+int         SSL_ec_GetParamFromFile(const char *);
  #endif
  DH         *SSL_callback_tmp_DH(SSL *, int, int);
  void        SSL_callback_handshake(const SSL *, int, int);
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 87c3312b8..ce5177937 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -946,9 +946,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
setCertificate)(TCN_STDARGS, jlong ctx,
      const char *p;
      char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
  #ifdef HAVE_ECC
-    EC_GROUP *ecparams = NULL;
      int nid;
-    EC_KEY *eckey = NULL;
  #endif
      EVP_PKEY *evp;
  
@@ -1036,14 +1034,10 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx,
       */
      /* XXX Does this also work for pkcs12 or only for PEM files?
       * If only for PEM files move above to the PEM handling */
-    if ((ecparams = SSL_ec_GetParamFromFile(cert_file)) &&
-        (nid = EC_GROUP_get_curve_name(ecparams)) &&
-        (eckey = EC_KEY_new_by_curve_name(nid))) {
-        SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
-    }
-    /* OpenSSL assures us that _free() is NULL-safe */
-    EC_KEY_free(eckey);
-    EC_GROUP_free(ecparams);
+    nid = SSL_ec_GetParamFromFile(cert_file);
+    if (nid != NID_undef) {
+        SSL_CTX_set1_groups(c->ctx, &nid, 1);
+    }
  #endif
      SSL_CTX_set_dh_auto(c->ctx, 1);
  
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index dac911f88..9d6803e18 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -198,16 +198,41 @@ EVP_PKEY *SSL_dh_GetParamFromFile(const char *file)
  }
  
  #ifdef HAVE_ECC
-EC_GROUP *SSL_ec_GetParamFromFile(const char *file)
+int SSL_ec_GetParamFromFile(const char *file)
  {
-    EC_GROUP *group = NULL;
+    EVP_PKEY *evp = NULL;
      BIO *bio;
+    char curve_name[80];
  
      if ((bio = BIO_new_file(file, "r")) == NULL)
-        return NULL;
-    group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
+        return NID_undef;
+    evp = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL);
      BIO_free(bio);
-    return (group);
+    if (!EVP_PKEY_is_a(evp, "EC")) {
+        EVP_PKEY_free(evp);
+        return NID_undef;
+    }
+
+    OSSL_PARAM param[] = {
+        OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, 
curve_name, sizeof(curve_name)),
+        OSSL_PARAM_construct_end()
+    };
+
+    /* Query the curve name from the EVP_PKEY params object */
+    if (EVP_PKEY_get_params(evp, param) <= 0) {
+        EVP_PKEY_free(evp);
+        return NID_undef; /* Failed to retrieve the curve name */
+    }
+
+    /* Convert the curve name to the NID */
+    int nid = OBJ_sn2nid(curve_name);
+    if (nid == NID_undef) {
+        /* If the short name didn't resolve, try the long name */
+        nid = OBJ_ln2nid(curve_name);
+    }
+
+    EVP_PKEY_free(evp);
+    return nid; /* Returns the curve's NID, or NID_undef on failure */
  }
  #endif
  
diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml
index 5698d65f7..d59127bfa 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -37,6 +37,10 @@
        Remove group write permissions from the files in the tar.gz source
        archive. (markt)
      </fix>
+    <fix>
+      Refcator extraction of ECDH curve name from the Certificate to avoid
+      deprecated OpenSSL methods. (markt)
+    </fix>
    </changelog>
  </section>
  <section name="Changes in 2.0.12">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org