Make autotools and cmake detect DES support in OpenSSL and mbedTLS.
Forward feature macros to C and omit NTLM from the feature preview list.
Use the feature macros in source. This ensure that `-V` output matches
the preview.
OpenSSL doesn't support DES when built with `no-des` or `no-deprecated`.
mbedTLS 4.x no longer supports it, and it's possible to disable it in
<4 with `scripts/config.py unset MBEDTLS_DES_C`.
Before this patch this worked for
mbedTLS 4 only, and with a regression for pending PR #16973.
Also:
- drop NTLM feature check from `curl_setup.h` in favour of autotools/
cmake feature macros. This makes `curl_setup.h` no longer need
to include an mbedTLS header, which in turn makes tests/server build
without depending on mbedTLS.
Fixing, in #16973:
```
In file included from tests/server/first.h:40,
from bld/tests/server/servers.c:3:
lib/curl_setup.h:741:10: fatal error: mbedtls/version.h: No such file or directory
741 | #include <mbedtls/version.h>
| ^~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/
18689537893/job/
53291322012?pr=16973
Ref: #19181 (initial fix idea)
Follow-up to
3a305831d1a9d10b2bfd4fa3939ed41275fee7f7 #19077
- move back mbedTLS header include and version check from
`curl_setup.h` to each source which consumes mbedTLS.
- GHA/http3-linux: drop workaround that disabled NTLM for
`no-deprecated` OpenSSL builds.
Follow-up to
006977859dcc4b8670878bd669276d778a2715bb #12384
- curl_ntlm_core: drop pointless macro `CURL_NTLM_NOT_SUPPORTED`.
Follow-up to
006977859dcc4b8670878bd669276d778a2715bb #12384
Closes #19206
PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/openssl/build/lib
- --with-ngtcp2 --disable-ntlm
- --with-openssl=/home/runner/openssl/build --enable-ssls-export
+ --with-openssl=/home/runner/openssl/build --with-ngtcp2 --enable-ssls-export
- name: 'openssl'
install_steps: skipall
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON
-DCURL_DISABLE_LDAP=ON
- -DCURL_DISABLE_NTLM=ON
-DCMAKE_UNITY_BUILD=ON
- name: 'libressl'
PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/libressl/build/lib
- --with-ngtcp2 --disable-ntlm
- --with-openssl=/home/runner/libressl/build --enable-ssls-export
+ --with-openssl=/home/runner/libressl/build --with-ngtcp2 --enable-ssls-export
--enable-unity
- name: 'libressl'
PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
- -DOPENSSL_ROOT_DIR=/home/runner/libressl/build
- -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
+ -DOPENSSL_ROOT_DIR=/home/runner/libressl/build -DUSE_NGTCP2=ON
- name: 'awslc'
install_steps: skipall
PKG_CONFIG_PATH: /home/runner/awslc/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/awslc/build/lib
- --with-ngtcp2 --disable-ntlm
- --with-openssl=/home/runner/awslc/build --enable-ssls-export
+ --with-openssl=/home/runner/awslc/build --with-ngtcp2 --enable-ssls-export
- name: 'awslc'
PKG_CONFIG_PATH: /home/runner/awslc/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
- -DOPENSSL_ROOT_DIR=/home/runner/awslc/build -DBUILD_SHARED_LIBS=OFF
- -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
+ -DOPENSSL_ROOT_DIR=/home/runner/awslc/build -DUSE_NGTCP2=ON -DBUILD_SHARED_LIBS=OFF
-DCMAKE_UNITY_BUILD=ON
- name: 'boringssl'
PKG_CONFIG_PATH: /home/runner/boringssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2-boringssl/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/boringssl/build/lib
- --with-ngtcp2 --disable-ntlm
- --with-openssl=/home/runner/boringssl/build --enable-ssls-export
+ --with-openssl=/home/runner/boringssl/build --with-ngtcp2 --enable-ssls-export
- name: 'boringssl'
PKG_CONFIG_PATH: /home/runner/boringssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2-boringssl/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
- -DOPENSSL_ROOT_DIR=/home/runner/boringssl/build -DBUILD_SHARED_LIBS=OFF
- -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
+ -DOPENSSL_ROOT_DIR=/home/runner/boringssl/build -DUSE_NGTCP2=ON -DBUILD_SHARED_LIBS=OFF
-DCMAKE_UNITY_BUILD=ON
- name: 'gnutls'
PKG_CONFIG_PATH: /home/runner/gnutls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/gnutls/build/lib
- --with-ngtcp2
- --with-gnutls=/home/runner/gnutls/build --enable-ssls-export
+ --with-gnutls=/home/runner/gnutls/build --with-ngtcp2 --enable-ssls-export
- name: 'gnutls'
install_packages: nettle-dev libp11-kit-dev
PKG_CONFIG_PATH: /home/runner/gnutls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
- -DCURL_USE_GNUTLS=ON
- -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
+ -DCURL_USE_GNUTLS=ON -DUSE_NGTCP2=ON
-DCMAKE_UNITY_BUILD=ON
- name: 'wolfssl'
PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/wolfssl/build/lib
- --with-ngtcp2
- --with-wolfssl=/home/runner/wolfssl/build
- --enable-ech --enable-ssls-export
+ --with-wolfssl=/home/runner/wolfssl/build --with-ngtcp2 --enable-ech --enable-ssls-export
--enable-unity
- name: 'wolfssl'
PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
LDFLAGS=-Wl,-rpath,/home/runner/openssl/build/lib
- --disable-ntlm
--with-openssl=/home/runner/openssl/build --with-openssl-quic
- name: 'openssl-quic'
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_OPENSSL_QUIC=ON
-DCURL_DISABLE_LDAP=ON
- -DCURL_DISABLE_NTLM=ON
-DCMAKE_UNITY_BUILD=ON
- name: 'quiche'
set(_valid_default_ssl_backend TRUE)
endif()
set(_curl_ca_bundle_supported TRUE)
+
+ if(MBEDTLS_VERSION VERSION_GREATER_EQUAL 4.0.0)
+ set(HAVE_MBEDTLS_DES_CRYPT_ECB 0) # pre-fill detection result
+ endif()
+ if(NOT DEFINED HAVE_MBEDTLS_DES_CRYPT_ECB)
+ cmake_push_check_state()
+ list(APPEND CMAKE_REQUIRED_INCLUDES "${MBEDTLS_INCLUDE_DIRS}")
+ list(APPEND CMAKE_REQUIRED_LIBRARIES "${MBEDTLS_LIBRARIES}")
+ curl_required_libpaths("${MBEDTLS_LIBRARY_DIRS}")
+ check_function_exists("mbedtls_des_crypt_ecb" HAVE_MBEDTLS_DES_CRYPT_ECB) # in mbedTLS <4
+ cmake_pop_check_state()
+ endif()
endif()
if(CURL_USE_WOLFSSL)
endif()
if(USE_OPENSSL)
+ if(NOT DEFINED HAVE_DES_ECB_ENCRYPT)
+ curl_openssl_check_exists("DES_ecb_encrypt" "openssl/des.h" HAVE_DES_ECB_ENCRYPT)
+ endif()
if(NOT DEFINED HAVE_SSL_SET0_WBIO)
curl_openssl_check_exists("SSL_set0_wbio" HAVE_SSL_SET0_WBIO)
endif()
# NTLM support requires crypto functions from various SSL libs.
# These conditions must match those in lib/curl_setup.h.
if(NOT CURL_DISABLE_NTLM AND
- (USE_OPENSSL OR
- (USE_MBEDTLS AND MBEDTLS_VERSION VERSION_LESS 4.0.0) OR
+ ((USE_OPENSSL AND HAVE_DES_ECB_ENCRYPT) OR
+ (USE_MBEDTLS AND HAVE_MBEDTLS_DES_CRYPT_ECB) OR
USE_GNUTLS OR
USE_WIN32_CRYPTO OR
(USE_WOLFSSL AND HAVE_WOLFSSL_DES_ECB_ENCRYPT)))
use_curl_ntlm_core=no
if test "x$CURL_DISABLE_NTLM" != "x1"; then
- if test "x$OPENSSL_ENABLED" = "x1" \
+ if test "x$HAVE_DES_ECB_ENCRYPT" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" \
-o "x$USE_WIN32_CRYPTO" = "x1" \
- -o "x$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "x1"; then
- use_curl_ntlm_core=yes
- elif test "x$MBEDTLS_ENABLED" = "x1" && test "$mbedtls_4" = "0"; then
+ -o "x$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "x1" \
+ -o "x$HAVE_MBEDTLS_DES_CRYPT_ECB" = "x1"; then
use_curl_ntlm_core=yes
fi
Available variables:
+- `HAVE_DES_ECB_ENCRYPT`: `DES_ecb_encrypt` present in OpenSSL (or fork).
- `HAVE_GNUTLS_SRP`: `gnutls_srp_verifier` present in GnuTLS.
- `HAVE_LDAP_INIT_FD`: `ldap_init_fd` present in LDAP library.
- `HAVE_LDAP_URL_PARSE`: `ldap_url_parse` present in LDAP library.
+- `HAVE_MBEDTLS_DES_CRYPT_ECB`: `mbedtls_des_crypt_ecb` present in mbedTLS <4.
- `HAVE_OPENSSL_SRP`: `SSL_CTX_set_srp_username` present in OpenSSL (or fork).
- `HAVE_QUICHE_CONN_SET_QLOG_FD`: `quiche_conn_set_qlog_fd` present in quiche.
- `HAVE_RUSTLS_SUPPORTED_HPKE`: `rustls_supported_hpke` present in Rustls (unused if Rustls is detected via `pkg-config`).
/* if mbedTLS is enabled */
#cmakedefine USE_MBEDTLS 1
+/* if mbedTLS <4 has the mbedtls_des_crypt_ecb function. */
+#cmakedefine HAVE_MBEDTLS_DES_CRYPT_ECB 1
+
/* if Rustls is enabled */
#cmakedefine USE_RUSTLS 1
#cmakedefine USE_ECH 1
/* Define to 1 if you have the wolfSSL_CTX_GenerateEchConfig function. */
-#cmakedefine HAVE_WOLFSSL_CTX_GENERATEECHCONFIG
+#cmakedefine HAVE_WOLFSSL_CTX_GENERATEECHCONFIG 1
/* Define to 1 if you have the SSL_set1_ech_config_list function. */
-#cmakedefine HAVE_SSL_SET1_ECH_CONFIG_LIST
+#cmakedefine HAVE_SSL_SET1_ECH_CONFIG_LIST 1
+
+/* Define to 1 if OpenSSL has the DES_ecb_encrypt function. */
+#cmakedefine HAVE_DES_ECB_ENCRYPT 1
in NTLM type-3 messages.
*/
-#ifdef USE_OPENSSL
- #include <openssl/opensslconf.h>
- #if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0)
- #define USE_OPENSSL_DES
- #endif
-#elif defined(USE_WOLFSSL)
- #include <wolfssl/options.h>
- #ifndef NO_DES3
- #define USE_OPENSSL_DES
- #endif
-#elif defined(USE_MBEDTLS)
- #include <mbedtls/version.h>
- #if MBEDTLS_VERSION_NUMBER < 0x04000000
- #define USE_MBEDTLS_DES
- #endif
+#ifdef USE_MBEDTLS
+#include <mbedtls/version.h>
+#if MBEDTLS_VERSION_NUMBER < 0x03020000
+ #error "mbedTLS 3.2.0 or later required"
+#endif
+#endif
+
+#if defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT)
+ #define USE_OPENSSL_DES
+#elif defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT)
+ #define USE_OPENSSL_DES
+#elif defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)
+ #define USE_MBEDTLS_DES
#endif
#ifdef USE_OPENSSL_DES
# endif
# define DESKEY(x) &x
#else
+# include <wolfssl/options.h>
# include <wolfssl/openssl/des.h>
# include <wolfssl/openssl/md5.h>
# include <wolfssl/openssl/ssl.h>
# include <wincrypt.h>
#else
# error "cannot compile NTLM support without a crypto library with DES."
-# define CURL_NTLM_NOT_SUPPORTED
#endif
#include "urldata.h"
#include "curl_memory.h"
#include "memdebug.h"
-#ifndef CURL_NTLM_NOT_SUPPORTED
/*
* Turns a 56-bit key into being 64-bit wide.
*/
key[6] = (char)(((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6));
key[7] = (char) ((key_56[6] << 1) & 0xFF);
}
-#endif
#ifdef USE_OPENSSL_DES
/*
unsigned char *lmbuffer /* 21 bytes */)
{
unsigned char pw[14];
-#ifndef CURL_NTLM_NOT_SUPPORTED
static const unsigned char magic[] = {
0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 /* i.e. KGS!@#$% */
};
-#endif
size_t len = CURLMIN(strlen(password), 14);
Curl_strntoupper((char *)pw, password, len);
# endif
#endif
-#ifdef USE_MBEDTLS
-#include <mbedtls/version.h>
-#if MBEDTLS_VERSION_NUMBER < 0x03020000
- #error "mbedTLS 3.2.0 or later required"
-#endif
-#endif
-
#if defined(USE_WOLFSSL) && defined(USE_GNUTLS)
/* Avoid defining unprefixed wolfSSL SHA macros colliding with nettle ones */
#define NO_OLD_WC_NAMES
/* Single point where USE_NTLM definition might be defined */
#ifndef CURL_DISABLE_NTLM
-# if defined(USE_OPENSSL) || \
+# if (defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT)) || \
defined(USE_GNUTLS) || \
- (defined(USE_MBEDTLS) && MBEDTLS_VERSION_NUMBER < 0x04000000) || \
+ (defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \
(defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT))
# define USE_CURL_NTLM_CORE
#endif
#ifdef USE_MBEDTLS
+ #include <mbedtls/version.h>
+ #if MBEDTLS_VERSION_NUMBER < 0x03020000
+ #error "mbedTLS 3.2.0 or later required"
+ #endif
#include <psa/crypto_config.h>
#if defined(PSA_WANT_ALG_MD5) && PSA_WANT_ALG_MD5 /* mbedTLS 4+ */
#define USE_MBEDTLS_MD5
#include "curl_hmac.h"
#ifdef USE_MBEDTLS
+ #include <mbedtls/version.h>
+ #if MBEDTLS_VERSION_NUMBER < 0x03020000
+ #error "mbedTLS 3.2.0 or later required"
+ #endif
#include <psa/crypto_config.h>
#if defined(PSA_WANT_ALG_SHA_256) && PSA_WANT_ALG_SHA_256 /* mbedTLS 4+ */
#define USE_MBEDTLS_SHA256
/* #define MBEDTLS_DEBUG */
#include <mbedtls/version.h>
+#if MBEDTLS_VERSION_NUMBER < 0x03020000
+ #error "mbedTLS 3.2.0 or later required"
+#endif
#include <psa/crypto_config.h>
#include <mbedtls/net_sockets.h>
#include <mbedtls/ssl.h>
LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE mbedtls mbedx509 mbedcrypto"
fi
- mbedtls_4=0
- AC_MSG_CHECKING([for mbedTLS >= v4])
- AC_COMPILE_IFELSE([
- AC_LANG_PROGRAM([[
- #include <mbedtls/version.h>
- ]],[[
- #if (MBEDTLS_VERSION_NUMBER >= 0x04000000)
- return 0;
- #else
- #error older than 4
- #endif
- ]])
- ],[
- mbedtls_4=1
- AC_MSG_RESULT([yes])
- ],[
- AC_MSG_RESULT([no])
- ])
+ dnl Check DES support in mbedTLS <4.
+ AC_CHECK_FUNCS(mbedtls_des_crypt_ecb)
+ if test "$ac_cv_func_mbedtls_des_crypt_ecb" = 'yes'; then
+ HAVE_MBEDTLS_DES_CRYPT_ECB=1
+ fi
fi
fi dnl mbedTLS not disabled
AC_MSG_ERROR([--with-openssl was given but OpenSSL could not be detected])
fi
+dnl ---
+dnl We check OpenSSL for DES support.
+dnl ---
+if test "$OPENSSL_ENABLED" = "1"; then
+ AC_MSG_CHECKING([for DES support in OpenSSL])
+ AC_LINK_IFELSE([
+ AC_LANG_PROGRAM([[
+ #ifndef OPENSSL_SUPPRESS_DEPRECATED
+ #define OPENSSL_SUPPRESS_DEPRECATED
+ #endif
+ #include <openssl/des.h>
+ ]],[[
+ DES_ecb_encrypt(0, 0, 0, DES_ENCRYPT);
+ ]])
+ ],[
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(HAVE_DES_ECB_ENCRYPT, 1, [if you have the function DES_ecb_encrypt])
+ HAVE_DES_ECB_ENCRYPT=1
+ ],[
+ AC_MSG_RESULT([no])
+ ])
+fi
+
dnl ---
dnl We require OpenSSL with SRP support.
dnl ---
projects / thirdparty / curl.git / commitdiff
