From: Viktor Szakats Date: Thu, 23 Oct 2025 20:08:53 +0000 (+0200) Subject: NTLM: disable if DES support missing from OpenSSL or mbedTLS X-Git-Tag: curl-8_17_0~115 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a6fbd5e1dd584c85c4936a1bfd08f2b12a2ea4b;p=thirdparty%2Fcurl.git NTLM: disable if DES support missing from OpenSSL or mbedTLS Make autotools and cmake detect DES support in OpenSSL and mbedTLS. Forward feature macros to C and omit NTLM from the feature preview list. Use the feature macros in source. This ensure that `-V` output matches the preview. OpenSSL doesn't support DES when built with `no-des` or `no-deprecated`. mbedTLS 4.x no longer supports it, and it's possible to disable it in <4 with `scripts/config.py unset MBEDTLS_DES_C`. Before this patch this worked for mbedTLS 4 only, and with a regression for pending PR #16973. Also: - drop NTLM feature check from `curl_setup.h` in favour of autotools/ cmake feature macros. This makes `curl_setup.h` no longer need to include an mbedTLS header, which in turn makes tests/server build without depending on mbedTLS. Fixing, in #16973: ``` In file included from tests/server/first.h:40, from bld/tests/server/servers.c:3: lib/curl_setup.h:741:10: fatal error: mbedtls/version.h: No such file or directory 741 | #include | ^~~~~~~~~~~~~~~~~~~ ``` Ref: https://github.com/curl/curl/actions/runs/18689537893/job/53291322012?pr=16973 Ref: #19181 (initial fix idea) Follow-up to 3a305831d1a9d10b2bfd4fa3939ed41275fee7f7 #19077 - move back mbedTLS header include and version check from `curl_setup.h` to each source which consumes mbedTLS. - GHA/http3-linux: drop workaround that disabled NTLM for `no-deprecated` OpenSSL builds. Follow-up to 006977859dcc4b8670878bd669276d778a2715bb #12384 - curl_ntlm_core: drop pointless macro `CURL_NTLM_NOT_SUPPORTED`. Follow-up to 006977859dcc4b8670878bd669276d778a2715bb #12384 Closes #19206 --- diff --git a/.github/workflows/http3-linux.yml b/.github/workflows/http3-linux.yml index 8971fc4e54..668de7ede4 100644 --- a/.github/workflows/http3-linux.yml +++ b/.github/workflows/http3-linux.yml @@ -334,8 +334,7 @@ jobs: PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig configure: >- LDFLAGS=-Wl,-rpath,/home/runner/openssl/build/lib - --with-ngtcp2 --disable-ntlm - --with-openssl=/home/runner/openssl/build --enable-ssls-export + --with-openssl=/home/runner/openssl/build --with-ngtcp2 --enable-ssls-export - name: 'openssl' install_steps: skipall @@ -343,7 +342,6 @@ jobs: generate: >- -DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON -DCURL_DISABLE_LDAP=ON - -DCURL_DISABLE_NTLM=ON -DCMAKE_UNITY_BUILD=ON - name: 'libressl' @@ -351,29 +349,25 @@ jobs: PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig configure: >- LDFLAGS=-Wl,-rpath,/home/runner/libressl/build/lib - --with-ngtcp2 --disable-ntlm - --with-openssl=/home/runner/libressl/build --enable-ssls-export + --with-openssl=/home/runner/libressl/build --with-ngtcp2 --enable-ssls-export --enable-unity - name: 'libressl' PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig generate: >- - -DOPENSSL_ROOT_DIR=/home/runner/libressl/build - -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON + -DOPENSSL_ROOT_DIR=/home/runner/libressl/build -DUSE_NGTCP2=ON - name: 'awslc' install_steps: skipall PKG_CONFIG_PATH: /home/runner/awslc/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig configure: >- LDFLAGS=-Wl,-rpath,/home/runner/awslc/build/lib - --with-ngtcp2 --disable-ntlm - --with-openssl=/home/runner/awslc/build --enable-ssls-export + --with-openssl=/home/runner/awslc/build --with-ngtcp2 --enable-ssls-export - name: 'awslc' PKG_CONFIG_PATH: /home/runner/awslc/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig generate: >- - -DOPENSSL_ROOT_DIR=/home/runner/awslc/build -DBUILD_SHARED_LIBS=OFF - -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON + -DOPENSSL_ROOT_DIR=/home/runner/awslc/build -DUSE_NGTCP2=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_UNITY_BUILD=ON - name: 'boringssl' @@ -381,14 +375,12 @@ jobs: PKG_CONFIG_PATH: /home/runner/boringssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2-boringssl/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig configure: >- LDFLAGS=-Wl,-rpath,/home/runner/boringssl/build/lib - --with-ngtcp2 --disable-ntlm - --with-openssl=/home/runner/boringssl/build --enable-ssls-export + --with-openssl=/home/runner/boringssl/build --with-ngtcp2 --enable-ssls-export - name: 'boringssl' PKG_CONFIG_PATH: /home/runner/boringssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2-boringssl/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig generate: >- - -DOPENSSL_ROOT_DIR=/home/runner/boringssl/build -DBUILD_SHARED_LIBS=OFF - -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON + -DOPENSSL_ROOT_DIR=/home/runner/boringssl/build -DUSE_NGTCP2=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_UNITY_BUILD=ON - name: 'gnutls' @@ -397,15 +389,13 @@ jobs: PKG_CONFIG_PATH: /home/runner/gnutls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig configure: >- LDFLAGS=-Wl,-rpath,/home/runner/gnutls/build/lib - --with-ngtcp2 - --with-gnutls=/home/runner/gnutls/build --enable-ssls-export + --with-gnutls=/home/runner/gnutls/build --with-ngtcp2 --enable-ssls-export - name: 'gnutls' install_packages: nettle-dev libp11-kit-dev PKG_CONFIG_PATH: /home/runner/gnutls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig generate: >- - -DCURL_USE_GNUTLS=ON - -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON + -DCURL_USE_GNUTLS=ON -DUSE_NGTCP2=ON -DCMAKE_UNITY_BUILD=ON - name: 'wolfssl' @@ -413,9 +403,7 @@ jobs: PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig configure: >- LDFLAGS=-Wl,-rpath,/home/runner/wolfssl/build/lib - --with-ngtcp2 - --with-wolfssl=/home/runner/wolfssl/build - --enable-ech --enable-ssls-export + --with-wolfssl=/home/runner/wolfssl/build --with-ngtcp2 --enable-ech --enable-ssls-export --enable-unity - name: 'wolfssl' @@ -429,7 +417,6 @@ jobs: PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig configure: >- LDFLAGS=-Wl,-rpath,/home/runner/openssl/build/lib - --disable-ntlm --with-openssl=/home/runner/openssl/build --with-openssl-quic - name: 'openssl-quic' @@ -437,7 +424,6 @@ jobs: generate: >- -DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_OPENSSL_QUIC=ON -DCURL_DISABLE_LDAP=ON - -DCURL_DISABLE_NTLM=ON -DCMAKE_UNITY_BUILD=ON - name: 'quiche' diff --git a/CMakeLists.txt b/CMakeLists.txt index 3a6a731426..da3b99cff4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -868,6 +868,18 @@ if(CURL_USE_MBEDTLS) set(_valid_default_ssl_backend TRUE) endif() set(_curl_ca_bundle_supported TRUE) + + if(MBEDTLS_VERSION VERSION_GREATER_EQUAL 4.0.0) + set(HAVE_MBEDTLS_DES_CRYPT_ECB 0) # pre-fill detection result + endif() + if(NOT DEFINED HAVE_MBEDTLS_DES_CRYPT_ECB) + cmake_push_check_state() + list(APPEND CMAKE_REQUIRED_INCLUDES "${MBEDTLS_INCLUDE_DIRS}") + list(APPEND CMAKE_REQUIRED_LIBRARIES "${MBEDTLS_LIBRARIES}") + curl_required_libpaths("${MBEDTLS_LIBRARY_DIRS}") + check_function_exists("mbedtls_des_crypt_ecb" HAVE_MBEDTLS_DES_CRYPT_ECB) # in mbedTLS <4 + cmake_pop_check_state() + endif() endif() if(CURL_USE_WOLFSSL) @@ -1075,6 +1087,9 @@ if(USE_WOLFSSL) endif() if(USE_OPENSSL) + if(NOT DEFINED HAVE_DES_ECB_ENCRYPT) + curl_openssl_check_exists("DES_ecb_encrypt" "openssl/des.h" HAVE_DES_ECB_ENCRYPT) + endif() if(NOT DEFINED HAVE_SSL_SET0_WBIO) curl_openssl_check_exists("SSL_set0_wbio" HAVE_SSL_SET0_WBIO) endif() @@ -2079,8 +2094,8 @@ endmacro() # NTLM support requires crypto functions from various SSL libs. # These conditions must match those in lib/curl_setup.h. if(NOT CURL_DISABLE_NTLM AND - (USE_OPENSSL OR - (USE_MBEDTLS AND MBEDTLS_VERSION VERSION_LESS 4.0.0) OR + ((USE_OPENSSL AND HAVE_DES_ECB_ENCRYPT) OR + (USE_MBEDTLS AND HAVE_MBEDTLS_DES_CRYPT_ECB) OR USE_GNUTLS OR USE_WIN32_CRYPTO OR (USE_WOLFSSL AND HAVE_WOLFSSL_DES_ECB_ENCRYPT))) diff --git a/configure.ac b/configure.ac index 97d0310497..cc16f4120a 100644 --- a/configure.ac +++ b/configure.ac @@ -5252,12 +5252,11 @@ fi use_curl_ntlm_core=no if test "x$CURL_DISABLE_NTLM" != "x1"; then - if test "x$OPENSSL_ENABLED" = "x1" \ + if test "x$HAVE_DES_ECB_ENCRYPT" = "x1" \ -o "x$GNUTLS_ENABLED" = "x1" \ -o "x$USE_WIN32_CRYPTO" = "x1" \ - -o "x$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "x1"; then - use_curl_ntlm_core=yes - elif test "x$MBEDTLS_ENABLED" = "x1" && test "$mbedtls_4" = "0"; then + -o "x$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "x1" \ + -o "x$HAVE_MBEDTLS_DES_CRYPT_ECB" = "x1"; then use_curl_ntlm_core=yes fi diff --git a/docs/INSTALL-CMAKE.md b/docs/INSTALL-CMAKE.md index c622b83920..4b9b85326f 100644 --- a/docs/INSTALL-CMAKE.md +++ b/docs/INSTALL-CMAKE.md @@ -491,9 +491,11 @@ the parent project, ideally in the "extra" find package redirect file: Available variables: +- `HAVE_DES_ECB_ENCRYPT`: `DES_ecb_encrypt` present in OpenSSL (or fork). - `HAVE_GNUTLS_SRP`: `gnutls_srp_verifier` present in GnuTLS. - `HAVE_LDAP_INIT_FD`: `ldap_init_fd` present in LDAP library. - `HAVE_LDAP_URL_PARSE`: `ldap_url_parse` present in LDAP library. +- `HAVE_MBEDTLS_DES_CRYPT_ECB`: `mbedtls_des_crypt_ecb` present in mbedTLS <4. - `HAVE_OPENSSL_SRP`: `SSL_CTX_set_srp_username` present in OpenSSL (or fork). - `HAVE_QUICHE_CONN_SET_QLOG_FD`: `quiche_conn_set_qlog_fd` present in quiche. - `HAVE_RUSTLS_SUPPORTED_HPKE`: `rustls_supported_hpke` present in Rustls (unused if Rustls is detected via `pkg-config`). diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake index 1fabc24c18..88b991d7ef 100644 --- a/lib/curl_config.h.cmake +++ b/lib/curl_config.h.cmake @@ -673,6 +673,9 @@ ${SIZEOF_TIME_T_CODE} /* if mbedTLS is enabled */ #cmakedefine USE_MBEDTLS 1 +/* if mbedTLS <4 has the mbedtls_des_crypt_ecb function. */ +#cmakedefine HAVE_MBEDTLS_DES_CRYPT_ECB 1 + /* if Rustls is enabled */ #cmakedefine USE_RUSTLS 1 @@ -801,7 +804,10 @@ ${SIZEOF_TIME_T_CODE} #cmakedefine USE_ECH 1 /* Define to 1 if you have the wolfSSL_CTX_GenerateEchConfig function. */ -#cmakedefine HAVE_WOLFSSL_CTX_GENERATEECHCONFIG +#cmakedefine HAVE_WOLFSSL_CTX_GENERATEECHCONFIG 1 /* Define to 1 if you have the SSL_set1_ech_config_list function. */ -#cmakedefine HAVE_SSL_SET1_ECH_CONFIG_LIST +#cmakedefine HAVE_SSL_SET1_ECH_CONFIG_LIST 1 + +/* Define to 1 if OpenSSL has the DES_ecb_encrypt function. */ +#cmakedefine HAVE_DES_ECB_ENCRYPT 1 diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index a81e97f0ce..be273f0c90 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -50,21 +50,19 @@ in NTLM type-3 messages. */ -#ifdef USE_OPENSSL - #include - #if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) - #define USE_OPENSSL_DES - #endif -#elif defined(USE_WOLFSSL) - #include - #ifndef NO_DES3 - #define USE_OPENSSL_DES - #endif -#elif defined(USE_MBEDTLS) - #include - #if MBEDTLS_VERSION_NUMBER < 0x04000000 - #define USE_MBEDTLS_DES - #endif +#ifdef USE_MBEDTLS +#include +#if MBEDTLS_VERSION_NUMBER < 0x03020000 + #error "mbedTLS 3.2.0 or later required" +#endif +#endif + +#if defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT) + #define USE_OPENSSL_DES +#elif defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT) + #define USE_OPENSSL_DES +#elif defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB) + #define USE_MBEDTLS_DES #endif #ifdef USE_OPENSSL_DES @@ -79,6 +77,7 @@ # endif # define DESKEY(x) &x #else +# include # include # include # include @@ -111,7 +110,6 @@ # include #else # error "cannot compile NTLM support without a crypto library with DES." -# define CURL_NTLM_NOT_SUPPORTED #endif #include "urldata.h" @@ -128,7 +126,6 @@ #include "curl_memory.h" #include "memdebug.h" -#ifndef CURL_NTLM_NOT_SUPPORTED /* * Turns a 56-bit key into being 64-bit wide. */ @@ -143,7 +140,6 @@ static void extend_key_56_to_64(const unsigned char *key_56, char *key) key[6] = (char)(((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6)); key[7] = (char) ((key_56[6] << 1) & 0xFF); } -#endif #ifdef USE_OPENSSL_DES /* @@ -328,11 +324,9 @@ CURLcode Curl_ntlm_core_mk_lm_hash(const char *password, unsigned char *lmbuffer /* 21 bytes */) { unsigned char pw[14]; -#ifndef CURL_NTLM_NOT_SUPPORTED static const unsigned char magic[] = { 0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 /* i.e. KGS!@#$% */ }; -#endif size_t len = CURLMIN(strlen(password), 14); Curl_strntoupper((char *)pw, password, len); diff --git a/lib/curl_setup.h b/lib/curl_setup.h index 4934baa22b..7c033623c5 100644 --- a/lib/curl_setup.h +++ b/lib/curl_setup.h @@ -737,13 +737,6 @@ # endif #endif -#ifdef USE_MBEDTLS -#include -#if MBEDTLS_VERSION_NUMBER < 0x03020000 - #error "mbedTLS 3.2.0 or later required" -#endif -#endif - #if defined(USE_WOLFSSL) && defined(USE_GNUTLS) /* Avoid defining unprefixed wolfSSL SHA macros colliding with nettle ones */ #define NO_OLD_WC_NAMES @@ -763,9 +756,9 @@ /* Single point where USE_NTLM definition might be defined */ #ifndef CURL_DISABLE_NTLM -# if defined(USE_OPENSSL) || \ +# if (defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT)) || \ defined(USE_GNUTLS) || \ - (defined(USE_MBEDTLS) && MBEDTLS_VERSION_NUMBER < 0x04000000) || \ + (defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)) || \ defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \ (defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT)) # define USE_CURL_NTLM_CORE diff --git a/lib/md5.c b/lib/md5.c index 897bd1b1a4..d99554a4aa 100644 --- a/lib/md5.c +++ b/lib/md5.c @@ -49,6 +49,10 @@ #endif #ifdef USE_MBEDTLS + #include + #if MBEDTLS_VERSION_NUMBER < 0x03020000 + #error "mbedTLS 3.2.0 or later required" + #endif #include #if defined(PSA_WANT_ALG_MD5) && PSA_WANT_ALG_MD5 /* mbedTLS 4+ */ #define USE_MBEDTLS_MD5 diff --git a/lib/sha256.c b/lib/sha256.c index cf8e98a550..f7bb545613 100644 --- a/lib/sha256.c +++ b/lib/sha256.c @@ -33,6 +33,10 @@ #include "curl_hmac.h" #ifdef USE_MBEDTLS + #include + #if MBEDTLS_VERSION_NUMBER < 0x03020000 + #error "mbedTLS 3.2.0 or later required" + #endif #include #if defined(PSA_WANT_ALG_SHA_256) && PSA_WANT_ALG_SHA_256 /* mbedTLS 4+ */ #define USE_MBEDTLS_SHA256 diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 89157f655f..5a2310d115 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -37,6 +37,9 @@ /* #define MBEDTLS_DEBUG */ #include +#if MBEDTLS_VERSION_NUMBER < 0x03020000 + #error "mbedTLS 3.2.0 or later required" +#endif #include #include #include diff --git a/m4/curl-mbedtls.m4 b/m4/curl-mbedtls.m4 index 55152c5408..573db4c3ab 100644 --- a/m4/curl-mbedtls.m4 +++ b/m4/curl-mbedtls.m4 @@ -107,24 +107,11 @@ if test "x$OPT_MBEDTLS" != xno; then LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE mbedtls mbedx509 mbedcrypto" fi - mbedtls_4=0 - AC_MSG_CHECKING([for mbedTLS >= v4]) - AC_COMPILE_IFELSE([ - AC_LANG_PROGRAM([[ - #include - ]],[[ - #if (MBEDTLS_VERSION_NUMBER >= 0x04000000) - return 0; - #else - #error older than 4 - #endif - ]]) - ],[ - mbedtls_4=1 - AC_MSG_RESULT([yes]) - ],[ - AC_MSG_RESULT([no]) - ]) + dnl Check DES support in mbedTLS <4. + AC_CHECK_FUNCS(mbedtls_des_crypt_ecb) + if test "$ac_cv_func_mbedtls_des_crypt_ecb" = 'yes'; then + HAVE_MBEDTLS_DES_CRYPT_ECB=1 + fi fi fi dnl mbedTLS not disabled diff --git a/m4/curl-openssl.m4 b/m4/curl-openssl.m4 index 56245c9c2a..5175bb85d2 100644 --- a/m4/curl-openssl.m4 +++ b/m4/curl-openssl.m4 @@ -340,6 +340,29 @@ if test X"$OPT_OPENSSL" != Xno && AC_MSG_ERROR([--with-openssl was given but OpenSSL could not be detected]) fi +dnl --- +dnl We check OpenSSL for DES support. +dnl --- +if test "$OPENSSL_ENABLED" = "1"; then + AC_MSG_CHECKING([for DES support in OpenSSL]) + AC_LINK_IFELSE([ + AC_LANG_PROGRAM([[ + #ifndef OPENSSL_SUPPRESS_DEPRECATED + #define OPENSSL_SUPPRESS_DEPRECATED + #endif + #include + ]],[[ + DES_ecb_encrypt(0, 0, 0, DES_ENCRYPT); + ]]) + ],[ + AC_MSG_RESULT([yes]) + AC_DEFINE(HAVE_DES_ECB_ENCRYPT, 1, [if you have the function DES_ecb_encrypt]) + HAVE_DES_ECB_ENCRYPT=1 + ],[ + AC_MSG_RESULT([no]) + ]) +fi + dnl --- dnl We require OpenSSL with SRP support. dnl ---