---
native/include/ssl_private.h | 3 ++-
native/src/sslcontext.c | 14 ++++----------
native/src/sslutils.c | 35 ++++++++++++++++++++++++++++++-----
xdocs/miscellaneous/changelog.xml | 4 ++++
4 files changed, 40 insertions(+), 16 deletions(-)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 7349c6f59..132866c1d 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -49,6 +49,7 @@
#ifndef LIBRESSL_VERSION_NUMBER
#include <openssl/provider.h>
#endif
+#include <openssl/core_names.h>
#ifndef RAND_MAX
#include <limits.h>
@@ -378,7 +379,7 @@ void SSL_BIO_doref(BIO *);
DH *SSL_get_dh_params(unsigned keylen);
EVP_PKEY *SSL_dh_GetParamFromFile(const char *);
#ifdef HAVE_ECC
-EC_GROUP *SSL_ec_GetParamFromFile(const char *);
+int SSL_ec_GetParamFromFile(const char *);
#endif
DH *SSL_callback_tmp_DH(SSL *, int, int);
void SSL_callback_handshake(const SSL *, int, int);
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 87c3312b8..ce5177937 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -946,9 +946,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
const char *p;
char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
#ifdef HAVE_ECC
- EC_GROUP *ecparams = NULL;
int nid;
- EC_KEY *eckey = NULL;
#endif
EVP_PKEY *evp;
@@ -1036,14 +1034,10 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
*/
/* XXX Does this also work for pkcs12 or only for PEM files?
* If only for PEM files move above to the PEM handling */
- if ((ecparams = SSL_ec_GetParamFromFile(cert_file)) &&
- (nid = EC_GROUP_get_curve_name(ecparams)) &&
- (eckey = EC_KEY_new_by_curve_name(nid))) {
- SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
- }
- /* OpenSSL assures us that _free() is NULL-safe */
- EC_KEY_free(eckey);
- EC_GROUP_free(ecparams);
+ nid = SSL_ec_GetParamFromFile(cert_file);
+ if (nid != NID_undef) {
+ SSL_CTX_set1_groups(c->ctx, &nid, 1);
+ }
#endif
SSL_CTX_set_dh_auto(c->ctx, 1);
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index dac911f88..9d6803e18 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -198,16 +198,41 @@ EVP_PKEY *SSL_dh_GetParamFromFile(const char *file)
}
#ifdef HAVE_ECC
-EC_GROUP *SSL_ec_GetParamFromFile(const char *file)
+int SSL_ec_GetParamFromFile(const char *file)
{
- EC_GROUP *group = NULL;
+ EVP_PKEY *evp = NULL;
BIO *bio;
+ char curve_name[80];
if ((bio = BIO_new_file(file, "r")) == NULL)
- return NULL;
- group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
+ return NID_undef;
+ evp = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL);
BIO_free(bio);
- return (group);
+ if (!EVP_PKEY_is_a(evp, "EC")) {
+ EVP_PKEY_free(evp);
+ return NID_undef;
+ }
+
+ OSSL_PARAM param[] = {
+ OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
curve_name, sizeof(curve_name)),
+ OSSL_PARAM_construct_end()
+ };
+
+ /* Query the curve name from the EVP_PKEY params object */
+ if (EVP_PKEY_get_params(evp, param) <= 0) {
+ EVP_PKEY_free(evp);
+ return NID_undef; /* Failed to retrieve the curve name */
+ }
+
+ /* Convert the curve name to the NID */
+ int nid = OBJ_sn2nid(curve_name);
+ if (nid == NID_undef) {
+ /* If the short name didn't resolve, try the long name */
+ nid = OBJ_ln2nid(curve_name);
+ }
+
+ EVP_PKEY_free(evp);
+ return nid; /* Returns the curve's NID, or NID_undef on failure */
}
#endif
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index 5698d65f7..d59127bfa 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -37,6 +37,10 @@
Remove group write permissions from the files in the tar.gz source
archive. (markt)
</fix>
+ <fix>
+ Refcator extraction of ECDH curve name from the Certificate to avoid
+ deprecated OpenSSL methods. (markt)
+ </fix>
</changelog>
</section>
<section name="Changes in 2.0.12">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
