git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-11 12:01:42 +08:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity

curl_ntlm_core: use wolfCrypt DES API with wolfSSL

Browse Source 
Replacing the last uses of the OpenSSL compatibility API, and dropping
the redefinition of external symbols.

Closes #21247
This commit is contained in:
Viktor Szakats 2026-04-07 01:49:12 +02:00
parent f974a00aba
commit a0d5d8fea3
No known key found for this signature in database
7 changed files with 61 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CMakeLists.txt
View File

@ -1063,9 +1063,9 @@ endmacro()
if(USE_WOLFSSL)
curl_openssl_check_exists("wolfSSL_get_peer_certificate" HAVE_WOLFSSL_GET_PEER_CERTIFICATE)
curl_openssl_check_exists("wolfSSL_UseALPN" HAVE_WOLFSSL_USEALPN)
curl_openssl_check_exists("wolfSSL_DES_ecb_encrypt" HAVE_WOLFSSL_DES_ECB_ENCRYPT)
curl_openssl_check_exists("wolfSSL_BIO_new" HAVE_WOLFSSL_BIO_NEW)
curl_openssl_check_exists("wolfSSL_BIO_set_shutdown" HAVE_WOLFSSL_BIO_SET_SHUTDOWN)
curl_openssl_check_exists("wc_Des_EcbEncrypt" HAVE_WC_DES_ECBENCRYPT)
endif()
if(USE_OPENSSL)
@ -1962,7 +1962,7 @@ if(CURL_ENABLE_NTLM AND
(USE_MBEDTLS AND HAVE_MBEDTLS_DES_CRYPT_ECB) OR
USE_GNUTLS OR
USE_WIN32_CRYPTO OR
(USE_WOLFSSL AND HAVE_WOLFSSL_DES_ECB_ENCRYPT)))
(USE_WOLFSSL AND HAVE_WC_DES_ECBENCRYPT)))
set(_use_curl_ntlm_core ON)
endif()

2
configure.ac
View File

@ -5152,7 +5152,7 @@ if test "$CURL_ENABLE_NTLM" = "1"; then
if test "$HAVE_DES_ECB_ENCRYPT" = "1" ||
test "$GNUTLS_ENABLED" = "1" ||
test "$USE_WIN32_CRYPTO" = "1" ||
test "$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "1" ||
test "$HAVE_WC_DES_ECBENCRYPT" = "1" ||
test "$HAVE_MBEDTLS_DES_CRYPT_ECB" = "1"; then
use_curl_ntlm_core=yes
fi

2
docs/INSTALL-CMAKE.md
View File

@ -535,11 +535,11 @@ Available variables:
- `HAVE_WOLFSSL_BIO_NEW`: `wolfSSL_BIO_new` present in wolfSSL.
- `HAVE_WOLFSSL_BIO_SET_SHUTDOWN`: `wolfSSL_BIO_set_shutdown` present in wolfSSL.
- `HAVE_WOLFSSL_CTX_GENERATEECHCONFIG`: `wolfSSL_CTX_GenerateEchConfig` present in wolfSSL.
- `HAVE_WOLFSSL_DES_ECB_ENCRYPT`: `wolfSSL_DES_ecb_encrypt` present in wolfSSL.
- `HAVE_WOLFSSL_GET_PEER_CERTIFICATE`: `wolfSSL_get_peer_certificate` present in wolfSSL.
- `HAVE_WOLFSSL_SET_QUIC_USE_LEGACY_CODEPOINT`:
`wolfSSL_set_quic_use_legacy_codepoint` present in wolfSSL.
- `HAVE_WOLFSSL_USEALPN`: `wolfSSL_UseALPN` present in wolfSSL.
- `HAVE_WC_DES_ECBENCRYPT`: `wc_Des_EcbEncrypt` present in wolfSSL.
For each of the above variables, if the variable is *defined* (either to `ON`
or `OFF`), the symbol detection is skipped. If the variable is *not defined*,

6
lib/curl_config-cmake.h.in
View File

@ -673,15 +673,15 @@ ${SIZEOF_TIME_T_CODE}
/* if wolfSSL has the wolfSSL_UseALPN function. */
#cmakedefine HAVE_WOLFSSL_USEALPN 1
/* if wolfSSL has the wolfSSL_DES_ecb_encrypt function. */
#cmakedefine HAVE_WOLFSSL_DES_ECB_ENCRYPT 1
/* if wolfSSL has the wolfSSL_BIO_new function. */
#cmakedefine HAVE_WOLFSSL_BIO_NEW 1
/* if wolfSSL has the wolfSSL_BIO_set_shutdown function. */
#cmakedefine HAVE_WOLFSSL_BIO_SET_SHUTDOWN 1
/* if wolfSSL has the wc_Des_EcbEncrypt function. */
#cmakedefine HAVE_WC_DES_ECBENCRYPT 1
/* if libssh is in use */
#cmakedefine USE_LIBSSH 1

104
lib/curl_ntlm_core.c
View File

@ -49,59 +49,30 @@
in NTLM type-3 messages.
*/
#ifdef USE_MBEDTLS
#include <mbedtls/version.h>
#if MBEDTLS_VERSION_NUMBER < 0x03020000
#error "mbedTLS 3.2.0 or later required"
#endif
#endif
#if defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT)
# define USE_OPENSSL_DES
#elif defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT)
# define USE_OPENSSL_DES
#elif defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)
# define USE_MBEDTLS_DES
#endif
#ifdef USE_OPENSSL_DES
#ifdef USE_OPENSSL
# include <openssl/des.h>
# ifdef OPENSSL_IS_AWSLC /* for versions 1.2.0 to 1.30.1 */
# define DES_set_key_unchecked (void)DES_set_key
# endif
# define DESKEY(x) &x
#else
# define USE_OPENSSL_DES
#elif defined(USE_WOLFSSL) && defined(HAVE_WC_DES_ECBENCRYPT)
# include <wolfssl/options.h>
# include <wolfssl/openssl/des.h>
# include <wolfssl/version.h>
# ifdef OPENSSL_COEXIST
# define DES_key_schedule WOLFSSL_DES_key_schedule
# define DES_cblock WOLFSSL_DES_cblock
# define DES_set_odd_parity wolfSSL_DES_set_odd_parity
# define DES_set_key wolfSSL_DES_set_key
# define DES_set_key_unchecked wolfSSL_DES_set_key_unchecked
# define DES_ecb_encrypt wolfSSL_DES_ecb_encrypt
# define DESKEY(x) ((WOLFSSL_DES_key_schedule *)(x))
# if LIBWOLFSSL_VERSION_HEX >= 0x05007006
# define DES_ENCRYPT WC_DES_ENCRYPT
# define DES_DECRYPT WC_DES_DECRYPT
# endif
# else
# define DESKEY(x) &x
# endif
#endif
# include <wolfssl/wolfcrypt/des3.h>
# define USE_WOLFSSL_DES
#elif defined(USE_GNUTLS)
# include <nettle/des.h>
# define USE_CURL_DES_SET_ODD_PARITY
#elif defined(USE_MBEDTLS_DES)
#elif defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)
# include <mbedtls/version.h>
# if MBEDTLS_VERSION_NUMBER < 0x03020000
# error "mbedTLS 3.2.0 or later required"
# endif
# include <mbedtls/des.h>
# define USE_MBEDTLS_DES
#elif defined(USE_OS400CRYPTO)
# include "cipher.mih" /* mih/cipher */
# define USE_CURL_DES_SET_ODD_PARITY
@ -192,8 +163,19 @@ static void setup_des_key(const unsigned char *key_56, DES_key_schedule *ks)
DES_set_key_unchecked(&key, ks);
}
#elif defined(USE_GNUTLS)
#elif defined(USE_WOLFSSL_DES)
static void setup_des_key(const unsigned char *key_56, Des *des)
{
byte key[8];
/* Expand the 56-bit key to 64 bits */
extend_key_56_to_64(key_56, (char *)key);
/* Set the key */
wc_Des_SetKey(des, key, NULL, 0);
}
#elif defined(USE_GNUTLS)
static void setup_des_key(const unsigned char *key_56, struct des_ctx *des)
{
char key[8];
@ -209,7 +191,6 @@ static void setup_des_key(const unsigned char *key_56, struct des_ctx *des)
}
#elif defined(USE_MBEDTLS_DES)
static bool encrypt_des(const unsigned char *in, unsigned char *out,
const unsigned char *key_56)
{
@ -229,7 +210,6 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out,
}
#elif defined(USE_OS400CRYPTO)
static bool encrypt_des(const unsigned char *in, unsigned char *out,
const unsigned char *key_56)
{
@ -253,7 +233,6 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out,
}
#elif defined(USE_WIN32_CRYPTO)
static bool encrypt_des(const unsigned char *in, unsigned char *out,
const unsigned char *key_56)
{
@ -316,17 +295,25 @@ void Curl_ntlm_core_lm_resp(const unsigned char *keys,
#ifdef USE_OPENSSL_DES
DES_key_schedule ks;
setup_des_key(keys, DESKEY(ks));
setup_des_key(keys, &ks);
DES_ecb_encrypt((DES_cblock *)CURL_UNCONST(plaintext),
(DES_cblock *)results, DESKEY(ks), DES_ENCRYPT);
(DES_cblock *)results, &ks, DES_ENCRYPT);
setup_des_key(keys + 7, DESKEY(ks));
setup_des_key(keys + 7, &ks);
DES_ecb_encrypt((DES_cblock *)CURL_UNCONST(plaintext),
(DES_cblock *)(results + 8), DESKEY(ks), DES_ENCRYPT);
(DES_cblock *)(results + 8), &ks, DES_ENCRYPT);
setup_des_key(keys + 14, DESKEY(ks));
setup_des_key(keys + 14, &ks);
DES_ecb_encrypt((DES_cblock *)CURL_UNCONST(plaintext),
(DES_cblock *)(results + 16), DESKEY(ks), DES_ENCRYPT);
(DES_cblock *)(results + 16), &ks, DES_ENCRYPT);
#elif defined(USE_WOLFSSL_DES)
Des des;
setup_des_key(keys, &des);
wc_Des_EcbEncrypt(&des, results, plaintext, DES_KEY_SIZE);
setup_des_key(keys + 7, &des);
wc_Des_EcbEncrypt(&des, results + 8, plaintext, DES_KEY_SIZE);
setup_des_key(keys + 14, &des);
wc_Des_EcbEncrypt(&des, results + 16, plaintext, DES_KEY_SIZE);
#elif defined(USE_GNUTLS)
struct des_ctx des;
setup_des_key(keys, &des);
@ -364,17 +351,22 @@ CURLcode Curl_ntlm_core_mk_lm_hash(const char *password,
{
/* Create LanManager hashed password. */
#ifdef USE_OPENSSL_DES
DES_key_schedule ks;
setup_des_key(pw, DESKEY(ks));
setup_des_key(pw, &ks);
DES_ecb_encrypt((DES_cblock *)CURL_UNCONST(magic),
(DES_cblock *)lmbuffer, DESKEY(ks), DES_ENCRYPT);
(DES_cblock *)lmbuffer, &ks, DES_ENCRYPT);
setup_des_key(pw + 7, DESKEY(ks));
setup_des_key(pw + 7, &ks);
DES_ecb_encrypt((DES_cblock *)CURL_UNCONST(magic),
(DES_cblock *)(lmbuffer + 8), DESKEY(ks), DES_ENCRYPT);
(DES_cblock *)(lmbuffer + 8), &ks, DES_ENCRYPT);
#elif defined(USE_WOLFSSL_DES)
Des des;
setup_des_key(pw, &des);
wc_Des_EcbEncrypt(&des, lmbuffer, magic, DES_KEY_SIZE);
setup_des_key(pw + 7, &des);
wc_Des_EcbEncrypt(&des, lmbuffer + 8, magic, DES_KEY_SIZE);
#elif defined(USE_GNUTLS)
struct des_ctx des;
setup_des_key(pw, &des);

2
lib/curl_setup.h
View File

@ -767,7 +767,7 @@
defined(USE_GNUTLS) || \
(defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \
(defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT))
(defined(USE_WOLFSSL) && defined(HAVE_WC_DES_ECBENCRYPT))
# define USE_CURL_NTLM_CORE
# endif
# if defined(USE_CURL_NTLM_CORE) || defined(USE_WINDOWS_SSPI)

11
m4/curl-wolfssl.m4
View File

@ -133,19 +133,18 @@ if test "$OPT_WOLFSSL" != "no"; then
AC_CHECK_FUNCS([wolfSSL_set_quic_use_legacy_codepoint], [QUIC_ENABLED=yes])
dnl wolfSSL needs configure --enable-opensslextra to have *get_peer*
dnl DES* is needed for NTLM support and lives in the OpenSSL compatibility
dnl layer
dnl wc_Des_EcbEncrypt is needed for NTLM support.
dnl if wolfSSL_BIO_set_shutdown is present, we have the full BIO feature set
AC_CHECK_FUNCS(wolfSSL_get_peer_certificate \
wolfSSL_UseALPN \
wolfSSL_DES_ecb_encrypt \
wolfSSL_BIO_new \
wolfSSL_BIO_set_shutdown)
wolfSSL_BIO_set_shutdown \
wc_Des_EcbEncrypt)
dnl if this symbol is present, we want the include path to include the
dnl OpenSSL API root as well
if test "$ac_cv_func_wolfSSL_DES_ecb_encrypt" = "yes"; then
HAVE_WOLFSSL_DES_ECB_ENCRYPT=1
if test "$ac_cv_func_wc_Des_EcbEncrypt" = "yes"; then
HAVE_WC_DES_ECBENCRYPT=1
fi
dnl if this symbol is present, we can make use of BIO filter chains