git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-11 12:01:42 +08:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity

NTLM: disable if DES support missing from OpenSSL or mbedTLS

Browse Source 
Make autotools and cmake detect DES support in OpenSSL and mbedTLS.
Forward feature macros to C and omit NTLM from the feature preview list.
Use the feature macros in source. This ensure that `-V` output matches
the preview.

OpenSSL doesn't support DES when built with `no-des` or `no-deprecated`.
mbedTLS 4.x no longer supports it, and it's possible to disable it in
<4 with `scripts/config.py unset MBEDTLS_DES_C`.

Before this patch this worked for
mbedTLS 4 only, and with a regression for pending PR #16973.

Also:

- drop NTLM feature check from `curl_setup.h` in favour of autotools/
  cmake feature macros. This makes `curl_setup.h` no longer need
  to include an mbedTLS header, which in turn makes tests/server build
  without depending on mbedTLS.
  Fixing, in #16973:
  ```
  In file included from tests/server/first.h:40,
                   from bld/tests/server/servers.c:3:
  lib/curl_setup.h:741:10: fatal error: mbedtls/version.h: No such file or directory
    741 | #include <mbedtls/version.h>
        |          ^~~~~~~~~~~~~~~~~~~
  ```
  Ref: https://github.com/curl/curl/actions/runs/18689537893/job/53291322012?pr=16973
  Ref: #19181 (initial fix idea)
  Follow-up to 3a305831d1 #19077

- move back mbedTLS header include and version check from
  `curl_setup.h` to each source which consumes mbedTLS.

- GHA/http3-linux: drop workaround that disabled NTLM for
  `no-deprecated` OpenSSL builds.
  Follow-up to 006977859d #12384

- curl_ntlm_core: drop pointless macro `CURL_NTLM_NOT_SUPPORTED`.
  Follow-up to 006977859d #12384

Closes #19206
This commit is contained in:
Viktor Szakats 2025-10-23 22:08:53 +02:00
parent 1de4a9a5fb
commit 4a6fbd5e1d
No known key found for this signature in database
GPG Key ID: B5ABD165E2AEF201
12 changed files with 95 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
.github/workflows/http3-linux.yml vendored
View File

@ -334,8 +334,7 @@ jobs:
PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/openssl/build/lib
--with-ngtcp2 --disable-ntlm
--with-openssl=/home/runner/openssl/build --enable-ssls-export
--with-openssl=/home/runner/openssl/build --with-ngtcp2 --enable-ssls-export
- name: 'openssl'
install_steps: skipall
@ -343,7 +342,6 @@ jobs:
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON
-DCURL_DISABLE_LDAP=ON
-DCURL_DISABLE_NTLM=ON
-DCMAKE_UNITY_BUILD=ON
- name: 'libressl'
@ -351,29 +349,25 @@ jobs:
PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/libressl/build/lib
--with-ngtcp2 --disable-ntlm
--with-openssl=/home/runner/libressl/build --enable-ssls-export
--with-openssl=/home/runner/libressl/build --with-ngtcp2 --enable-ssls-export
--enable-unity
- name: 'libressl'
PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/libressl/build
-DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
-DOPENSSL_ROOT_DIR=/home/runner/libressl/build -DUSE_NGTCP2=ON
- name: 'awslc'
install_steps: skipall
PKG_CONFIG_PATH: /home/runner/awslc/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/awslc/build/lib
--with-ngtcp2 --disable-ntlm
--with-openssl=/home/runner/awslc/build --enable-ssls-export
--with-openssl=/home/runner/awslc/build --with-ngtcp2 --enable-ssls-export
- name: 'awslc'
PKG_CONFIG_PATH: /home/runner/awslc/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/awslc/build -DBUILD_SHARED_LIBS=OFF
-DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
-DOPENSSL_ROOT_DIR=/home/runner/awslc/build -DUSE_NGTCP2=ON -DBUILD_SHARED_LIBS=OFF
-DCMAKE_UNITY_BUILD=ON
- name: 'boringssl'
@ -381,14 +375,12 @@ jobs:
PKG_CONFIG_PATH: /home/runner/boringssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2-boringssl/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/boringssl/build/lib
--with-ngtcp2 --disable-ntlm
--with-openssl=/home/runner/boringssl/build --enable-ssls-export
--with-openssl=/home/runner/boringssl/build --with-ngtcp2 --enable-ssls-export
- name: 'boringssl'
PKG_CONFIG_PATH: /home/runner/boringssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2-boringssl/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/boringssl/build -DBUILD_SHARED_LIBS=OFF
-DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
-DOPENSSL_ROOT_DIR=/home/runner/boringssl/build -DUSE_NGTCP2=ON -DBUILD_SHARED_LIBS=OFF
-DCMAKE_UNITY_BUILD=ON
- name: 'gnutls'
@ -397,15 +389,13 @@ jobs:
PKG_CONFIG_PATH: /home/runner/gnutls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/gnutls/build/lib
--with-ngtcp2
--with-gnutls=/home/runner/gnutls/build --enable-ssls-export
--with-gnutls=/home/runner/gnutls/build --with-ngtcp2 --enable-ssls-export
- name: 'gnutls'
install_packages: nettle-dev libp11-kit-dev
PKG_CONFIG_PATH: /home/runner/gnutls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
-DCURL_USE_GNUTLS=ON
-DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
-DCURL_USE_GNUTLS=ON -DUSE_NGTCP2=ON
-DCMAKE_UNITY_BUILD=ON
- name: 'wolfssl'
@ -413,9 +403,7 @@ jobs:
PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/wolfssl/build/lib
--with-ngtcp2
--with-wolfssl=/home/runner/wolfssl/build
--enable-ech --enable-ssls-export
--with-wolfssl=/home/runner/wolfssl/build --with-ngtcp2 --enable-ech --enable-ssls-export
--enable-unity
- name: 'wolfssl'
@ -429,7 +417,6 @@ jobs:
PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/openssl/build/lib
--disable-ntlm
--with-openssl=/home/runner/openssl/build --with-openssl-quic
- name: 'openssl-quic'
@ -437,7 +424,6 @@ jobs:
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_OPENSSL_QUIC=ON
-DCURL_DISABLE_LDAP=ON
-DCURL_DISABLE_NTLM=ON
-DCMAKE_UNITY_BUILD=ON
- name: 'quiche'

19
CMakeLists.txt
View File

@ -868,6 +868,18 @@ if(CURL_USE_MBEDTLS)
set(_valid_default_ssl_backend TRUE)
endif()
set(_curl_ca_bundle_supported TRUE)
if(MBEDTLS_VERSION VERSION_GREATER_EQUAL 4.0.0)
set(HAVE_MBEDTLS_DES_CRYPT_ECB 0) # pre-fill detection result
endif()
if(NOT DEFINED HAVE_MBEDTLS_DES_CRYPT_ECB)
cmake_push_check_state()
list(APPEND CMAKE_REQUIRED_INCLUDES "${MBEDTLS_INCLUDE_DIRS}")
list(APPEND CMAKE_REQUIRED_LIBRARIES "${MBEDTLS_LIBRARIES}")
curl_required_libpaths("${MBEDTLS_LIBRARY_DIRS}")
check_function_exists("mbedtls_des_crypt_ecb" HAVE_MBEDTLS_DES_CRYPT_ECB) # in mbedTLS <4
cmake_pop_check_state()
endif()
endif()
if(CURL_USE_WOLFSSL)
@ -1075,6 +1087,9 @@ if(USE_WOLFSSL)
endif()
if(USE_OPENSSL)
if(NOT DEFINED HAVE_DES_ECB_ENCRYPT)
curl_openssl_check_exists("DES_ecb_encrypt" "openssl/des.h" HAVE_DES_ECB_ENCRYPT)
endif()
if(NOT DEFINED HAVE_SSL_SET0_WBIO)
curl_openssl_check_exists("SSL_set0_wbio" HAVE_SSL_SET0_WBIO)
endif()
@ -2079,8 +2094,8 @@ endmacro()
# NTLM support requires crypto functions from various SSL libs.
# These conditions must match those in lib/curl_setup.h.
if(NOT CURL_DISABLE_NTLM AND
(USE_OPENSSL OR
(USE_MBEDTLS AND MBEDTLS_VERSION VERSION_LESS 4.0.0) OR
((USE_OPENSSL AND HAVE_DES_ECB_ENCRYPT) OR
(USE_MBEDTLS AND HAVE_MBEDTLS_DES_CRYPT_ECB) OR
USE_GNUTLS OR
USE_WIN32_CRYPTO OR
(USE_WOLFSSL AND HAVE_WOLFSSL_DES_ECB_ENCRYPT)))

7
configure.ac
View File

@ -5252,12 +5252,11 @@ fi
use_curl_ntlm_core=no
if test "x$CURL_DISABLE_NTLM" != "x1"; then
if test "x$OPENSSL_ENABLED" = "x1" \
if test "x$HAVE_DES_ECB_ENCRYPT" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" \
-o "x$USE_WIN32_CRYPTO" = "x1" \
-o "x$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "x1"; then
use_curl_ntlm_core=yes
elif test "x$MBEDTLS_ENABLED" = "x1" && test "$mbedtls_4" = "0"; then
-o "x$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "x1" \
-o "x$HAVE_MBEDTLS_DES_CRYPT_ECB" = "x1"; then
use_curl_ntlm_core=yes
fi

2
docs/INSTALL-CMAKE.md
View File

@ -491,9 +491,11 @@ the parent project, ideally in the "extra" find package redirect file:
Available variables:
- `HAVE_DES_ECB_ENCRYPT`: `DES_ecb_encrypt` present in OpenSSL (or fork).
- `HAVE_GNUTLS_SRP`: `gnutls_srp_verifier` present in GnuTLS.
- `HAVE_LDAP_INIT_FD`: `ldap_init_fd` present in LDAP library.
- `HAVE_LDAP_URL_PARSE`: `ldap_url_parse` present in LDAP library.
- `HAVE_MBEDTLS_DES_CRYPT_ECB`: `mbedtls_des_crypt_ecb` present in mbedTLS <4.
- `HAVE_OPENSSL_SRP`: `SSL_CTX_set_srp_username` present in OpenSSL (or fork).
- `HAVE_QUICHE_CONN_SET_QLOG_FD`: `quiche_conn_set_qlog_fd` present in quiche.
- `HAVE_RUSTLS_SUPPORTED_HPKE`: `rustls_supported_hpke` present in Rustls (unused if Rustls is detected via `pkg-config`).

10
lib/curl_config.h.cmake
View File

@ -673,6 +673,9 @@ ${SIZEOF_TIME_T_CODE}
/* if mbedTLS is enabled */
#cmakedefine USE_MBEDTLS 1
/* if mbedTLS <4 has the mbedtls_des_crypt_ecb function. */
#cmakedefine HAVE_MBEDTLS_DES_CRYPT_ECB 1
/* if Rustls is enabled */
#cmakedefine USE_RUSTLS 1
@ -801,7 +804,10 @@ ${SIZEOF_TIME_T_CODE}
#cmakedefine USE_ECH 1
/* Define to 1 if you have the wolfSSL_CTX_GenerateEchConfig function. */
#cmakedefine HAVE_WOLFSSL_CTX_GENERATEECHCONFIG
#cmakedefine HAVE_WOLFSSL_CTX_GENERATEECHCONFIG 1
/* Define to 1 if you have the SSL_set1_ech_config_list function. */
#cmakedefine HAVE_SSL_SET1_ECH_CONFIG_LIST
#cmakedefine HAVE_SSL_SET1_ECH_CONFIG_LIST 1
/* Define to 1 if OpenSSL has the DES_ecb_encrypt function. */
#cmakedefine HAVE_DES_ECB_ENCRYPT 1

34
lib/curl_ntlm_core.c
View File

@ -50,21 +50,19 @@
in NTLM type-3 messages.
*/
#ifdef USE_OPENSSL
#include <openssl/opensslconf.h>
#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0)
#define USE_OPENSSL_DES
#endif
#elif defined(USE_WOLFSSL)
#include <wolfssl/options.h>
#ifndef NO_DES3
#define USE_OPENSSL_DES
#endif
#elif defined(USE_MBEDTLS)
#include <mbedtls/version.h>
#if MBEDTLS_VERSION_NUMBER < 0x04000000
#define USE_MBEDTLS_DES
#endif
#ifdef USE_MBEDTLS
#include <mbedtls/version.h>
#if MBEDTLS_VERSION_NUMBER < 0x03020000
#error "mbedTLS 3.2.0 or later required"
#endif
#endif
#if defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT)
#define USE_OPENSSL_DES
#elif defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT)
#define USE_OPENSSL_DES
#elif defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)
#define USE_MBEDTLS_DES
#endif
#ifdef USE_OPENSSL_DES
@ -79,6 +77,7 @@
# endif
# define DESKEY(x) &x
#else
# include <wolfssl/options.h>
# include <wolfssl/openssl/des.h>
# include <wolfssl/openssl/md5.h>
# include <wolfssl/openssl/ssl.h>
@ -111,7 +110,6 @@
# include <wincrypt.h>
#else
# error "cannot compile NTLM support without a crypto library with DES."
# define CURL_NTLM_NOT_SUPPORTED
#endif
#include "urldata.h"
@ -128,7 +126,6 @@
#include "curl_memory.h"
#include "memdebug.h"
#ifndef CURL_NTLM_NOT_SUPPORTED
/*
* Turns a 56-bit key into being 64-bit wide.
*/
@ -143,7 +140,6 @@ static void extend_key_56_to_64(const unsigned char *key_56, char *key)
key[6] = (char)(((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6));
key[7] = (char) ((key_56[6] << 1) & 0xFF);
}
#endif
#ifdef USE_OPENSSL_DES
/*
@ -328,11 +324,9 @@ CURLcode Curl_ntlm_core_mk_lm_hash(const char *password,
unsigned char *lmbuffer /* 21 bytes */)
{
unsigned char pw[14];
#ifndef CURL_NTLM_NOT_SUPPORTED
static const unsigned char magic[] = {
0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 /* i.e. KGS!@#$% */
};
#endif
size_t len = CURLMIN(strlen(password), 14);
Curl_strntoupper((char *)pw, password, len);

11
lib/curl_setup.h
View File

@ -737,13 +737,6 @@
# endif
#endif
#ifdef USE_MBEDTLS
#include <mbedtls/version.h>
#if MBEDTLS_VERSION_NUMBER < 0x03020000
#error "mbedTLS 3.2.0 or later required"
#endif
#endif
#if defined(USE_WOLFSSL) && defined(USE_GNUTLS)
/* Avoid defining unprefixed wolfSSL SHA macros colliding with nettle ones */
#define NO_OLD_WC_NAMES
@ -763,9 +756,9 @@
/* Single point where USE_NTLM definition might be defined */
#ifndef CURL_DISABLE_NTLM
# if defined(USE_OPENSSL) || \
# if (defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT)) || \
defined(USE_GNUTLS) || \
(defined(USE_MBEDTLS) && MBEDTLS_VERSION_NUMBER < 0x04000000) || \
(defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \
(defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT))
# define USE_CURL_NTLM_CORE

4
lib/md5.c
View File

@ -49,6 +49,10 @@
#endif
#ifdef USE_MBEDTLS
#include <mbedtls/version.h>
#if MBEDTLS_VERSION_NUMBER < 0x03020000
#error "mbedTLS 3.2.0 or later required"
#endif
#include <psa/crypto_config.h>
#if defined(PSA_WANT_ALG_MD5) && PSA_WANT_ALG_MD5 /* mbedTLS 4+ */
#define USE_MBEDTLS_MD5

4
lib/sha256.c
View File

@ -33,6 +33,10 @@
#include "curl_hmac.h"
#ifdef USE_MBEDTLS
#include <mbedtls/version.h>
#if MBEDTLS_VERSION_NUMBER < 0x03020000
#error "mbedTLS 3.2.0 or later required"
#endif
#include <psa/crypto_config.h>
#if defined(PSA_WANT_ALG_SHA_256) && PSA_WANT_ALG_SHA_256 /* mbedTLS 4+ */
#define USE_MBEDTLS_SHA256

3
lib/vtls/mbedtls.c
View File

@ -37,6 +37,9 @@
/* #define MBEDTLS_DEBUG */
#include <mbedtls/version.h>
#if MBEDTLS_VERSION_NUMBER < 0x03020000
#error "mbedTLS 3.2.0 or later required"
#endif
#include <psa/crypto_config.h>
#include <mbedtls/net_sockets.h>
#include <mbedtls/ssl.h>

23
m4/curl-mbedtls.m4
View File

@ -107,24 +107,11 @@ if test "x$OPT_MBEDTLS" != xno; then
LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE mbedtls mbedx509 mbedcrypto"
fi
mbedtls_4=0
AC_MSG_CHECKING([for mbedTLS >= v4])
AC_COMPILE_IFELSE([
AC_LANG_PROGRAM([[
#include <mbedtls/version.h>
]],[[
#if (MBEDTLS_VERSION_NUMBER >= 0x04000000)
return 0;
#else
#error older than 4
#endif
]])
],[
mbedtls_4=1
AC_MSG_RESULT([yes])
],[
AC_MSG_RESULT([no])
])
dnl Check DES support in mbedTLS <4.
AC_CHECK_FUNCS(mbedtls_des_crypt_ecb)
if test "$ac_cv_func_mbedtls_des_crypt_ecb" = 'yes'; then
HAVE_MBEDTLS_DES_CRYPT_ECB=1
fi
fi
fi dnl mbedTLS not disabled

23
m4/curl-openssl.m4
View File

@ -340,6 +340,29 @@ if test X"$OPT_OPENSSL" != Xno &&
AC_MSG_ERROR([--with-openssl was given but OpenSSL could not be detected])
fi
dnl ---
dnl We check OpenSSL for DES support.
dnl ---
if test "$OPENSSL_ENABLED" = "1"; then
AC_MSG_CHECKING([for DES support in OpenSSL])
AC_LINK_IFELSE([
AC_LANG_PROGRAM([[
#ifndef OPENSSL_SUPPRESS_DEPRECATED
#define OPENSSL_SUPPRESS_DEPRECATED
#endif
#include <openssl/des.h>
]],[[
DES_ecb_encrypt(0, 0, 0, DES_ENCRYPT);
]])
],[
AC_MSG_RESULT([yes])
AC_DEFINE(HAVE_DES_ECB_ENCRYPT, 1, [if you have the function DES_ecb_encrypt])
HAVE_DES_ECB_ENCRYPT=1
],[
AC_MSG_RESULT([no])
])
fi
dnl ---
dnl We require OpenSSL with SRP support.
dnl ---