Re: (tomcat-native) 01/01: Refactor ECDH curve name extraction to avoid deprecated methods

Thu, 08 Jan 2026 09:57:19 -0800 

On Thu, Jan 8, 2026 at 6:31 PM <[email protected]> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch curve-name
> in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
>
> commit 4bf2cdb5bccbd2c82eba2c5755cbdc1ef127e030
> Author: Mark Thomas <[email protected]>
> AuthorDate: Thu Jan 8 17:29:45 2026 +0000
>
>     Refactor ECDH curve name extraction to avoid deprecated methods

EC_GROUP_get_curve_name is deprecated ?

Rémy

> ---
>  native/include/ssl_private.h      |  3 ++-
>  native/src/sslcontext.c           | 14 ++++----------
>  native/src/sslutils.c             | 35 ++++++++++++++++++++++++++++++-----
>  xdocs/miscellaneous/changelog.xml |  4 ++++
>  4 files changed, 40 insertions(+), 16 deletions(-)
>
> diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
> index 7349c6f59..132866c1d 100644
> --- a/native/include/ssl_private.h
> +++ b/native/include/ssl_private.h
> @@ -49,6 +49,7 @@
>  #ifndef LIBRESSL_VERSION_NUMBER
>  #include <openssl/provider.h>
>  #endif
> +#include <openssl/core_names.h>
>
>  #ifndef RAND_MAX
>  #include <limits.h>
> @@ -378,7 +379,7 @@ void        SSL_BIO_doref(BIO *);
>  DH         *SSL_get_dh_params(unsigned keylen);
>  EVP_PKEY   *SSL_dh_GetParamFromFile(const char *);
>  #ifdef HAVE_ECC
> -EC_GROUP   *SSL_ec_GetParamFromFile(const char *);
> +int         SSL_ec_GetParamFromFile(const char *);
>  #endif
>  DH         *SSL_callback_tmp_DH(SSL *, int, int);
>  void        SSL_callback_handshake(const SSL *, int, int);
> diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
> index 87c3312b8..ce5177937 100644
> --- a/native/src/sslcontext.c
> +++ b/native/src/sslcontext.c
> @@ -946,9 +946,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
> setCertificate)(TCN_STDARGS, jlong ctx,
>      const char *p;
>      char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
>  #ifdef HAVE_ECC
> -    EC_GROUP *ecparams = NULL;
>      int nid;
> -    EC_KEY *eckey = NULL;
>  #endif
>      EVP_PKEY *evp;
>
> @@ -1036,14 +1034,10 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
> setCertificate)(TCN_STDARGS, jlong ctx,
>       */
>      /* XXX Does this also work for pkcs12 or only for PEM files?
>       * If only for PEM files move above to the PEM handling */
> -    if ((ecparams = SSL_ec_GetParamFromFile(cert_file)) &&
> -        (nid = EC_GROUP_get_curve_name(ecparams)) &&
> -        (eckey = EC_KEY_new_by_curve_name(nid))) {
> -        SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
> -    }
> -    /* OpenSSL assures us that _free() is NULL-safe */
> -    EC_KEY_free(eckey);
> -    EC_GROUP_free(ecparams);
> +    nid = SSL_ec_GetParamFromFile(cert_file);
> +    if (nid != NID_undef) {
> +        SSL_CTX_set1_groups(c->ctx, &nid, 1);
> +    }
>  #endif
>      SSL_CTX_set_dh_auto(c->ctx, 1);
>
> diff --git a/native/src/sslutils.c b/native/src/sslutils.c
> index dac911f88..9d6803e18 100644
> --- a/native/src/sslutils.c
> +++ b/native/src/sslutils.c
> @@ -198,16 +198,41 @@ EVP_PKEY *SSL_dh_GetParamFromFile(const char *file)
>  }
>
>  #ifdef HAVE_ECC
> -EC_GROUP *SSL_ec_GetParamFromFile(const char *file)
> +int SSL_ec_GetParamFromFile(const char *file)
>  {
> -    EC_GROUP *group = NULL;
> +    EVP_PKEY *evp = NULL;
>      BIO *bio;
> +    char curve_name[80];
>
>      if ((bio = BIO_new_file(file, "r")) == NULL)
> -        return NULL;
> -    group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
> +        return NID_undef;
> +    evp = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL);
>      BIO_free(bio);
> -    return (group);
> +    if (!EVP_PKEY_is_a(evp, "EC")) {
> +        EVP_PKEY_free(evp);
> +        return NID_undef;
> +    }
> +
> +    OSSL_PARAM param[] = {
> +        OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, 
> curve_name, sizeof(curve_name)),
> +        OSSL_PARAM_construct_end()
> +    };
> +
> +    /* Query the curve name from the EVP_PKEY params object */
> +    if (EVP_PKEY_get_params(evp, param) <= 0) {
> +        EVP_PKEY_free(evp);
> +        return NID_undef; /* Failed to retrieve the curve name */
> +    }
> +
> +    /* Convert the curve name to the NID */
> +    int nid = OBJ_sn2nid(curve_name);
> +    if (nid == NID_undef) {
> +        /* If the short name didn't resolve, try the long name */
> +        nid = OBJ_ln2nid(curve_name);
> +    }
> +
> +    EVP_PKEY_free(evp);
> +    return nid; /* Returns the curve's NID, or NID_undef on failure */
>  }
>  #endif
>
> diff --git a/xdocs/miscellaneous/changelog.xml 
> b/xdocs/miscellaneous/changelog.xml
> index 5698d65f7..d59127bfa 100644
> --- a/xdocs/miscellaneous/changelog.xml
> +++ b/xdocs/miscellaneous/changelog.xml
> @@ -37,6 +37,10 @@
>        Remove group write permissions from the files in the tar.gz source
>        archive. (markt)
>      </fix>
> +    <fix>
> +      Refcator extraction of ECDH curve name from the Certificate to avoid
> +      deprecated OpenSSL methods. (markt)
> +    </fix>
>    </changelog>
>  </section>
>  <section name="Changes in 2.0.12">
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to