(tomcat-native) branch main updated: Refactor ECDH curve name extraction to avoid deprecated methods (#34)

Thu, 05 Feb 2026 07:23:34 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git


The following commit(s) were added to refs/heads/main by this push:
     new 44736df8a Refactor ECDH curve name extraction to avoid deprecated 
methods (#34)
44736df8a is described below

commit 44736df8ac3282eade7cb48502d5483081ba2626
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Feb 5 16:20:31 2026 +0100

    Refactor ECDH curve name extraction to avoid deprecated methods (#34)
    
    * Refactor ECDH curve name extraction to avoid deprecated methods
---
 native/include/ssl_private.h      |  3 ++-
 native/src/sslcontext.c           | 14 ++++----------
 native/src/sslutils.c             | 35 ++++++++++++++++++++++++++++++-----
 xdocs/miscellaneous/changelog.xml |  4 ++++
 4 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 7349c6f59..132866c1d 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -49,6 +49,7 @@
 #ifndef LIBRESSL_VERSION_NUMBER
 #include <openssl/provider.h>
 #endif
+#include <openssl/core_names.h>
 
 #ifndef RAND_MAX
 #include <limits.h>
@@ -378,7 +379,7 @@ void        SSL_BIO_doref(BIO *);
 DH         *SSL_get_dh_params(unsigned keylen);
 EVP_PKEY   *SSL_dh_GetParamFromFile(const char *);
 #ifdef HAVE_ECC
-EC_GROUP   *SSL_ec_GetParamFromFile(const char *);
+int         SSL_ec_GetParamFromFile(const char *);
 #endif
 DH         *SSL_callback_tmp_DH(SSL *, int, int);
 void        SSL_callback_handshake(const SSL *, int, int);
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 33889b3f3..eb9b49ec3 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -952,9 +952,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
setCertificate)(TCN_STDARGS, jlong ctx,
     const char *p;
     char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
 #ifdef HAVE_ECC
-    EC_GROUP *ecparams = NULL;
     int nid;
-    EC_KEY *eckey = NULL;
 #endif
     EVP_PKEY *evp;
 
@@ -1043,14 +1041,10 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
setCertificate)(TCN_STDARGS, jlong ctx,
      */
     /* XXX Does this also work for pkcs12 or only for PEM files?
      * If only for PEM files move above to the PEM handling */
-    if ((ecparams = SSL_ec_GetParamFromFile(cert_file)) &&
-        (nid = EC_GROUP_get_curve_name(ecparams)) &&
-        (eckey = EC_KEY_new_by_curve_name(nid))) {
-        SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
-    }
-    /* OpenSSL assures us that _free() is NULL-safe */
-    EC_KEY_free(eckey);
-    EC_GROUP_free(ecparams);
+    nid = SSL_ec_GetParamFromFile(cert_file);
+    if (nid != NID_undef) {
+        SSL_CTX_set1_groups(c->ctx, &nid, 1);
+    }
 #endif
     SSL_CTX_set_dh_auto(c->ctx, 1);
 
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index 8e0e23219..ce4f79b2d 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -198,16 +198,41 @@ EVP_PKEY *SSL_dh_GetParamFromFile(const char *file)
 }
 
 #ifdef HAVE_ECC
-EC_GROUP *SSL_ec_GetParamFromFile(const char *file)
+int SSL_ec_GetParamFromFile(const char *file)
 {
-    EC_GROUP *group = NULL;
+    EVP_PKEY *evp = NULL;
     BIO *bio;
+    char curve_name[80];
 
     if ((bio = BIO_new_file(file, "r")) == NULL)
-        return NULL;
-    group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
+        return NID_undef;
+    evp = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL);
     BIO_free(bio);
-    return (group);
+    if (evp && !EVP_PKEY_is_a(evp, "EC")) {
+        EVP_PKEY_free(evp);
+        return NID_undef;
+    }
+
+    OSSL_PARAM param[] = {
+        OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, 
curve_name, sizeof(curve_name)),
+        OSSL_PARAM_construct_end()
+    };
+
+    /* Query the curve name from the EVP_PKEY params object */
+    if (EVP_PKEY_get_params(evp, param) <= 0) {
+        EVP_PKEY_free(evp);
+        return NID_undef; /* Failed to retrieve the curve name */
+    }
+
+    /* Convert the curve name to the NID */
+    int nid = OBJ_sn2nid(curve_name);
+    if (nid == NID_undef) {
+        /* If the short name didn't resolve, try the long name */
+        nid = OBJ_ln2nid(curve_name);
+    }
+
+    EVP_PKEY_free(evp);
+    return nid; /* Returns the curve's NID, or NID_undef on failure */
 }
 #endif
 
diff --git a/xdocs/miscellaneous/changelog.xml 
b/xdocs/miscellaneous/changelog.xml
index 94da1de41..3c875e466 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -66,6 +66,10 @@
       <bug>69939</bug>: Fix the cause of a crash with OpenSSL 3.0.x when a
       certificate PEM file does not contain explicit DH parameters. (markt)
     </fix>
+    <fix>
+      Refactor extraction of ECDH curve name from the Certificate to avoid
+      deprecated OpenSSL methods. (markt)
+    </fix>
   </changelog>
 </section>
 <section name="2.0.12" rtext="2026-01-12">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to