diff --git a/CMakeLists.txt b/CMakeLists.txt index 76af84e795..e93669eb1f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1063,9 +1063,9 @@ endmacro() if(USE_WOLFSSL) curl_openssl_check_exists("wolfSSL_get_peer_certificate" HAVE_WOLFSSL_GET_PEER_CERTIFICATE) curl_openssl_check_exists("wolfSSL_UseALPN" HAVE_WOLFSSL_USEALPN) - curl_openssl_check_exists("wolfSSL_DES_ecb_encrypt" HAVE_WOLFSSL_DES_ECB_ENCRYPT) curl_openssl_check_exists("wolfSSL_BIO_new" HAVE_WOLFSSL_BIO_NEW) curl_openssl_check_exists("wolfSSL_BIO_set_shutdown" HAVE_WOLFSSL_BIO_SET_SHUTDOWN) + curl_openssl_check_exists("wc_Des_EcbEncrypt" HAVE_WC_DES_ECBENCRYPT) endif() if(USE_OPENSSL) @@ -1962,7 +1962,7 @@ if(CURL_ENABLE_NTLM AND (USE_MBEDTLS AND HAVE_MBEDTLS_DES_CRYPT_ECB) OR USE_GNUTLS OR USE_WIN32_CRYPTO OR - (USE_WOLFSSL AND HAVE_WOLFSSL_DES_ECB_ENCRYPT))) + (USE_WOLFSSL AND HAVE_WC_DES_ECBENCRYPT))) set(_use_curl_ntlm_core ON) endif() diff --git a/configure.ac b/configure.ac index 28cd2f67df..e9a9afd773 100644 --- a/configure.ac +++ b/configure.ac @@ -5152,7 +5152,7 @@ if test "$CURL_ENABLE_NTLM" = "1"; then if test "$HAVE_DES_ECB_ENCRYPT" = "1" || test "$GNUTLS_ENABLED" = "1" || test "$USE_WIN32_CRYPTO" = "1" || - test "$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "1" || + test "$HAVE_WC_DES_ECBENCRYPT" = "1" || test "$HAVE_MBEDTLS_DES_CRYPT_ECB" = "1"; then use_curl_ntlm_core=yes fi diff --git a/docs/INSTALL-CMAKE.md b/docs/INSTALL-CMAKE.md index 7585088f54..a4359482dc 100644 --- a/docs/INSTALL-CMAKE.md +++ b/docs/INSTALL-CMAKE.md @@ -535,11 +535,11 @@ Available variables: - `HAVE_WOLFSSL_BIO_NEW`: `wolfSSL_BIO_new` present in wolfSSL. - `HAVE_WOLFSSL_BIO_SET_SHUTDOWN`: `wolfSSL_BIO_set_shutdown` present in wolfSSL. - `HAVE_WOLFSSL_CTX_GENERATEECHCONFIG`: `wolfSSL_CTX_GenerateEchConfig` present in wolfSSL. -- `HAVE_WOLFSSL_DES_ECB_ENCRYPT`: `wolfSSL_DES_ecb_encrypt` present in wolfSSL. - `HAVE_WOLFSSL_GET_PEER_CERTIFICATE`: `wolfSSL_get_peer_certificate` present in wolfSSL. - `HAVE_WOLFSSL_SET_QUIC_USE_LEGACY_CODEPOINT`: `wolfSSL_set_quic_use_legacy_codepoint` present in wolfSSL. - `HAVE_WOLFSSL_USEALPN`: `wolfSSL_UseALPN` present in wolfSSL. +- `HAVE_WC_DES_ECBENCRYPT`: `wc_Des_EcbEncrypt` present in wolfSSL. For each of the above variables, if the variable is *defined* (either to `ON` or `OFF`), the symbol detection is skipped. If the variable is *not defined*, diff --git a/lib/curl_config-cmake.h.in b/lib/curl_config-cmake.h.in index ef32270924..41b0ddf073 100644 --- a/lib/curl_config-cmake.h.in +++ b/lib/curl_config-cmake.h.in @@ -673,15 +673,15 @@ ${SIZEOF_TIME_T_CODE} /* if wolfSSL has the wolfSSL_UseALPN function. */ #cmakedefine HAVE_WOLFSSL_USEALPN 1 -/* if wolfSSL has the wolfSSL_DES_ecb_encrypt function. */ -#cmakedefine HAVE_WOLFSSL_DES_ECB_ENCRYPT 1 - /* if wolfSSL has the wolfSSL_BIO_new function. */ #cmakedefine HAVE_WOLFSSL_BIO_NEW 1 /* if wolfSSL has the wolfSSL_BIO_set_shutdown function. */ #cmakedefine HAVE_WOLFSSL_BIO_SET_SHUTDOWN 1 +/* if wolfSSL has the wc_Des_EcbEncrypt function. */ +#cmakedefine HAVE_WC_DES_ECBENCRYPT 1 + /* if libssh is in use */ #cmakedefine USE_LIBSSH 1 diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index 11c33a49e2..cb538af918 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -49,59 +49,30 @@ in NTLM type-3 messages. */ -#ifdef USE_MBEDTLS -#include -#if MBEDTLS_VERSION_NUMBER < 0x03020000 -#error "mbedTLS 3.2.0 or later required" -#endif -#endif - #if defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT) -# define USE_OPENSSL_DES -#elif defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT) -# define USE_OPENSSL_DES -#elif defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB) -# define USE_MBEDTLS_DES -#endif -#ifdef USE_OPENSSL_DES - -#ifdef USE_OPENSSL # include # ifdef OPENSSL_IS_AWSLC /* for versions 1.2.0 to 1.30.1 */ # define DES_set_key_unchecked (void)DES_set_key # endif -# define DESKEY(x) &x -#else +# define USE_OPENSSL_DES + +#elif defined(USE_WOLFSSL) && defined(HAVE_WC_DES_ECBENCRYPT) + # include -# include -# include -# ifdef OPENSSL_COEXIST -# define DES_key_schedule WOLFSSL_DES_key_schedule -# define DES_cblock WOLFSSL_DES_cblock -# define DES_set_odd_parity wolfSSL_DES_set_odd_parity -# define DES_set_key wolfSSL_DES_set_key -# define DES_set_key_unchecked wolfSSL_DES_set_key_unchecked -# define DES_ecb_encrypt wolfSSL_DES_ecb_encrypt -# define DESKEY(x) ((WOLFSSL_DES_key_schedule *)(x)) -# if LIBWOLFSSL_VERSION_HEX >= 0x05007006 -# define DES_ENCRYPT WC_DES_ENCRYPT -# define DES_DECRYPT WC_DES_DECRYPT -# endif -# else -# define DESKEY(x) &x -# endif -#endif +# include +# define USE_WOLFSSL_DES #elif defined(USE_GNUTLS) - # include # define USE_CURL_DES_SET_ODD_PARITY - -#elif defined(USE_MBEDTLS_DES) - +#elif defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB) +# include +# if MBEDTLS_VERSION_NUMBER < 0x03020000 +# error "mbedTLS 3.2.0 or later required" +# endif # include - +# define USE_MBEDTLS_DES #elif defined(USE_OS400CRYPTO) # include "cipher.mih" /* mih/cipher */ # define USE_CURL_DES_SET_ODD_PARITY @@ -192,8 +163,19 @@ static void setup_des_key(const unsigned char *key_56, DES_key_schedule *ks) DES_set_key_unchecked(&key, ks); } -#elif defined(USE_GNUTLS) +#elif defined(USE_WOLFSSL_DES) +static void setup_des_key(const unsigned char *key_56, Des *des) +{ + byte key[8]; + /* Expand the 56-bit key to 64 bits */ + extend_key_56_to_64(key_56, (char *)key); + + /* Set the key */ + wc_Des_SetKey(des, key, NULL, 0); +} + +#elif defined(USE_GNUTLS) static void setup_des_key(const unsigned char *key_56, struct des_ctx *des) { char key[8]; @@ -209,7 +191,6 @@ static void setup_des_key(const unsigned char *key_56, struct des_ctx *des) } #elif defined(USE_MBEDTLS_DES) - static bool encrypt_des(const unsigned char *in, unsigned char *out, const unsigned char *key_56) { @@ -229,7 +210,6 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out, } #elif defined(USE_OS400CRYPTO) - static bool encrypt_des(const unsigned char *in, unsigned char *out, const unsigned char *key_56) { @@ -253,7 +233,6 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out, } #elif defined(USE_WIN32_CRYPTO) - static bool encrypt_des(const unsigned char *in, unsigned char *out, const unsigned char *key_56) { @@ -316,17 +295,25 @@ void Curl_ntlm_core_lm_resp(const unsigned char *keys, #ifdef USE_OPENSSL_DES DES_key_schedule ks; - setup_des_key(keys, DESKEY(ks)); + setup_des_key(keys, &ks); DES_ecb_encrypt((DES_cblock *)CURL_UNCONST(plaintext), - (DES_cblock *)results, DESKEY(ks), DES_ENCRYPT); + (DES_cblock *)results, &ks, DES_ENCRYPT); - setup_des_key(keys + 7, DESKEY(ks)); + setup_des_key(keys + 7, &ks); DES_ecb_encrypt((DES_cblock *)CURL_UNCONST(plaintext), - (DES_cblock *)(results + 8), DESKEY(ks), DES_ENCRYPT); + (DES_cblock *)(results + 8), &ks, DES_ENCRYPT); - setup_des_key(keys + 14, DESKEY(ks)); + setup_des_key(keys + 14, &ks); DES_ecb_encrypt((DES_cblock *)CURL_UNCONST(plaintext), - (DES_cblock *)(results + 16), DESKEY(ks), DES_ENCRYPT); + (DES_cblock *)(results + 16), &ks, DES_ENCRYPT); +#elif defined(USE_WOLFSSL_DES) + Des des; + setup_des_key(keys, &des); + wc_Des_EcbEncrypt(&des, results, plaintext, DES_KEY_SIZE); + setup_des_key(keys + 7, &des); + wc_Des_EcbEncrypt(&des, results + 8, plaintext, DES_KEY_SIZE); + setup_des_key(keys + 14, &des); + wc_Des_EcbEncrypt(&des, results + 16, plaintext, DES_KEY_SIZE); #elif defined(USE_GNUTLS) struct des_ctx des; setup_des_key(keys, &des); @@ -364,17 +351,22 @@ CURLcode Curl_ntlm_core_mk_lm_hash(const char *password, { /* Create LanManager hashed password. */ - #ifdef USE_OPENSSL_DES DES_key_schedule ks; - setup_des_key(pw, DESKEY(ks)); + setup_des_key(pw, &ks); DES_ecb_encrypt((DES_cblock *)CURL_UNCONST(magic), - (DES_cblock *)lmbuffer, DESKEY(ks), DES_ENCRYPT); + (DES_cblock *)lmbuffer, &ks, DES_ENCRYPT); - setup_des_key(pw + 7, DESKEY(ks)); + setup_des_key(pw + 7, &ks); DES_ecb_encrypt((DES_cblock *)CURL_UNCONST(magic), - (DES_cblock *)(lmbuffer + 8), DESKEY(ks), DES_ENCRYPT); + (DES_cblock *)(lmbuffer + 8), &ks, DES_ENCRYPT); +#elif defined(USE_WOLFSSL_DES) + Des des; + setup_des_key(pw, &des); + wc_Des_EcbEncrypt(&des, lmbuffer, magic, DES_KEY_SIZE); + setup_des_key(pw + 7, &des); + wc_Des_EcbEncrypt(&des, lmbuffer + 8, magic, DES_KEY_SIZE); #elif defined(USE_GNUTLS) struct des_ctx des; setup_des_key(pw, &des); diff --git a/lib/curl_setup.h b/lib/curl_setup.h index ed5c48dac5..7930167658 100644 --- a/lib/curl_setup.h +++ b/lib/curl_setup.h @@ -767,7 +767,7 @@ defined(USE_GNUTLS) || \ (defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)) || \ defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \ - (defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT)) + (defined(USE_WOLFSSL) && defined(HAVE_WC_DES_ECBENCRYPT)) # define USE_CURL_NTLM_CORE # endif # if defined(USE_CURL_NTLM_CORE) || defined(USE_WINDOWS_SSPI) diff --git a/m4/curl-wolfssl.m4 b/m4/curl-wolfssl.m4 index 48812e724d..1d7b46721b 100644 --- a/m4/curl-wolfssl.m4 +++ b/m4/curl-wolfssl.m4 @@ -133,19 +133,18 @@ if test "$OPT_WOLFSSL" != "no"; then AC_CHECK_FUNCS([wolfSSL_set_quic_use_legacy_codepoint], [QUIC_ENABLED=yes]) dnl wolfSSL needs configure --enable-opensslextra to have *get_peer* - dnl DES* is needed for NTLM support and lives in the OpenSSL compatibility - dnl layer + dnl wc_Des_EcbEncrypt is needed for NTLM support. dnl if wolfSSL_BIO_set_shutdown is present, we have the full BIO feature set AC_CHECK_FUNCS(wolfSSL_get_peer_certificate \ wolfSSL_UseALPN \ - wolfSSL_DES_ecb_encrypt \ wolfSSL_BIO_new \ - wolfSSL_BIO_set_shutdown) + wolfSSL_BIO_set_shutdown \ + wc_Des_EcbEncrypt) dnl if this symbol is present, we want the include path to include the dnl OpenSSL API root as well - if test "$ac_cv_func_wolfSSL_DES_ecb_encrypt" = "yes"; then - HAVE_WOLFSSL_DES_ECB_ENCRYPT=1 + if test "$ac_cv_func_wc_Des_EcbEncrypt" = "yes"; then + HAVE_WC_DES_ECBENCRYPT=1 fi dnl if this symbol is present, we can make use of BIO filter chains