moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-12 04:25:08 -05:00
Code Issues Releases Wiki Activity

gnutls: assume nettle crypto support

Browse Source 
nettle has been the default crypto library with GnuTLS since 2010. By
dropping support for the previous libcrypto, we simplify code.

Closes #6625
This commit is contained in:
Daniel Stenberg 2021-02-18 11:42:46 +01:00
parent 692faeab9f
commit e06fa7462a
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
6 changed files with 24 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
configure.ac
View File

@ -2228,26 +2228,15 @@ if test "$GNUTLS_ENABLED" = "1"; then
USE_GNUTLS_NETTLE= USE_GNUTLS_NETTLE=
# First check if we can detect either crypto library via transitive linking # First check if we can detect either crypto library via transitive linking
AC_CHECK_LIB(gnutls, nettle_MD5Init, [ USE_GNUTLS_NETTLE=1 ]) AC_CHECK_LIB(gnutls, nettle_MD5Init, [ USE_GNUTLS_NETTLE=1 ])
if test "$USE_GNUTLS_NETTLE" = ""; then
AC_CHECK_LIB(gnutls, gcry_control, [ USE_GNUTLS_NETTLE=0 ])
fi
# If not, try linking directly to both of them to see if they are available # If not, try linking directly to both of them to see if they are available
if test "$USE_GNUTLS_NETTLE" = ""; then if test "$USE_GNUTLS_NETTLE" = ""; then
AC_CHECK_LIB(nettle, nettle_MD5Init, [ USE_GNUTLS_NETTLE=1 ]) AC_CHECK_LIB(nettle, nettle_MD5Init, [ USE_GNUTLS_NETTLE=1 ])
fi fi
if test "$USE_GNUTLS_NETTLE" = ""; then if test "$USE_GNUTLS_NETTLE" = ""; then
AC_CHECK_LIB(gcrypt, gcry_control, [ USE_GNUTLS_NETTLE=0 ]) AC_MSG_ERROR([GnuTLS found, but nettle was not found])
fi
if test "$USE_GNUTLS_NETTLE" = ""; then
AC_MSG_ERROR([GnuTLS found, but neither gcrypt nor nettle found])
fi
if test "$USE_GNUTLS_NETTLE" = "1"; then
AC_DEFINE(USE_GNUTLS_NETTLE, 1, [if GnuTLS uses nettle as crypto backend])
AC_SUBST(USE_GNUTLS_NETTLE, [1])
LIBS="-lnettle $LIBS"
else
LIBS="-lgcrypt $LIBS"
fi fi
LIBS="-lnettle $LIBS"
fi fi
dnl --- dnl ---

76
lib/curl_ntlm_core.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -34,13 +34,12 @@
/* Please keep the SSL backend-specific #if branches in this order: /* Please keep the SSL backend-specific #if branches in this order:
1. USE_OPENSSL 1. USE_OPENSSL
2. USE_GNUTLS_NETTLE 2. USE_GNUTLS
3. USE_GNUTLS 3. USE_NSS
4. USE_NSS 4. USE_MBEDTLS
5. USE_MBEDTLS 5. USE_SECTRANSP
6. USE_SECTRANSP 6. USE_OS400CRYPTO
7. USE_OS400CRYPTO 7. USE_WIN32_CRYPTO
8. USE_WIN32_CRYPTO
This ensures that: This ensures that:
- the same SSL branch gets activated throughout this source - the same SSL branch gets activated throughout this source
@ -74,13 +73,9 @@
# define DESKEY(x) &x # define DESKEY(x) &x
# endif # endif
#elif defined(USE_GNUTLS_NETTLE)
# include <nettle/des.h>
#elif defined(USE_GNUTLS) #elif defined(USE_GNUTLS)
# include <gcrypt.h> # include <nettle/des.h>
#elif defined(USE_NSS) #elif defined(USE_NSS)
@ -159,7 +154,7 @@ static void setup_des_key(const unsigned char *key_56,
DES_set_key(&key, ks); DES_set_key(&key, ks);
} }
#elif defined(USE_GNUTLS_NETTLE) #elif defined(USE_GNUTLS)
static void setup_des_key(const unsigned char *key_56, static void setup_des_key(const unsigned char *key_56,
struct des_ctx *des) struct des_ctx *des)
@ -176,26 +171,6 @@ static void setup_des_key(const unsigned char *key_56,
des_set_key(des, (const uint8_t *) key); des_set_key(des, (const uint8_t *) key);
} }
#elif defined(USE_GNUTLS)
/*
* Turns a 56 bit key into the 64 bit, odd parity key and sets the key.
*/
static void setup_des_key(const unsigned char *key_56,
gcry_cipher_hd_t *des)
{
char key[8];
/* Expand the 56-bit key to 64-bits */
extend_key_56_to_64(key_56, key);
/* Set the key parity to odd */
Curl_des_set_odd_parity((unsigned char *) key, sizeof(key));
/* Set the key */
gcry_cipher_setkey(*des, key, sizeof(key));
}
#elif defined(USE_NSS) #elif defined(USE_NSS)
/* /*
@ -402,7 +377,7 @@ void Curl_ntlm_core_lm_resp(const unsigned char *keys,
setup_des_key(keys + 14, DESKEY(ks)); setup_des_key(keys + 14, DESKEY(ks));
DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results + 16), DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results + 16),
DESKEY(ks), DES_ENCRYPT); DESKEY(ks), DES_ENCRYPT);
#elif defined(USE_GNUTLS_NETTLE) #elif defined(USE_GNUTLS)
struct des_ctx des; struct des_ctx des;
setup_des_key(keys, &des); setup_des_key(keys, &des);
des_encrypt(&des, 8, results, plaintext); des_encrypt(&des, 8, results, plaintext);
@ -410,23 +385,6 @@ void Curl_ntlm_core_lm_resp(const unsigned char *keys,
des_encrypt(&des, 8, results + 8, plaintext); des_encrypt(&des, 8, results + 8, plaintext);
setup_des_key(keys + 14, &des); setup_des_key(keys + 14, &des);
des_encrypt(&des, 8, results + 16, plaintext); des_encrypt(&des, 8, results + 16, plaintext);
#elif defined(USE_GNUTLS)
gcry_cipher_hd_t des;
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
setup_des_key(keys, &des);
gcry_cipher_encrypt(des, results, 8, plaintext, 8);
gcry_cipher_close(des);
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
setup_des_key(keys + 7, &des);
gcry_cipher_encrypt(des, results + 8, 8, plaintext, 8);
gcry_cipher_close(des);
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
setup_des_key(keys + 14, &des);
gcry_cipher_encrypt(des, results + 16, 8, plaintext, 8);
gcry_cipher_close(des);
#elif defined(USE_NSS) || defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \ #elif defined(USE_NSS) || defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \
|| defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
encrypt_des(plaintext, results, keys); encrypt_des(plaintext, results, keys);
@ -473,24 +431,12 @@ CURLcode Curl_ntlm_core_mk_lm_hash(struct Curl_easy *data,
setup_des_key(pw + 7, DESKEY(ks)); setup_des_key(pw + 7, DESKEY(ks));
DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer + 8), DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer + 8),
DESKEY(ks), DES_ENCRYPT); DESKEY(ks), DES_ENCRYPT);
#elif defined(USE_GNUTLS_NETTLE) #elif defined(USE_GNUTLS)
struct des_ctx des; struct des_ctx des;
setup_des_key(pw, &des); setup_des_key(pw, &des);
des_encrypt(&des, 8, lmbuffer, magic); des_encrypt(&des, 8, lmbuffer, magic);
setup_des_key(pw + 7, &des); setup_des_key(pw + 7, &des);
des_encrypt(&des, 8, lmbuffer + 8, magic); des_encrypt(&des, 8, lmbuffer + 8, magic);
#elif defined(USE_GNUTLS)
gcry_cipher_hd_t des;
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
setup_des_key(pw, &des);
gcry_cipher_encrypt(des, lmbuffer, 8, magic, 8);
gcry_cipher_close(des);
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
setup_des_key(pw + 7, &des);
gcry_cipher_encrypt(des, lmbuffer + 8, 8, magic, 8);
gcry_cipher_close(des);
#elif defined(USE_NSS) || defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \ #elif defined(USE_NSS) || defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \
|| defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
encrypt_des(magic, lmbuffer, pw); encrypt_des(magic, lmbuffer, pw);

31
lib/md4.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -44,7 +44,7 @@
#endif #endif
#endif /* USE_MBEDTLS */ #endif /* USE_MBEDTLS */
#if defined(USE_GNUTLS_NETTLE) #if defined(USE_GNUTLS)
#include <nettle/md4.h> #include <nettle/md4.h>
@ -70,33 +70,6 @@ static void MD4_Final(unsigned char *result, MD4_CTX *ctx)
md4_digest(ctx, MD4_DIGEST_SIZE, result); md4_digest(ctx, MD4_DIGEST_SIZE, result);
} }
#elif defined(USE_GNUTLS)
#include <gcrypt.h>
#include "curl_memory.h"
/* The last #include file should be: */
#include "memdebug.h"
typedef gcry_md_hd_t MD4_CTX;
static void MD4_Init(MD4_CTX *ctx)
{
gcry_md_open(ctx, GCRY_MD_MD4, 0);
}
static void MD4_Update(MD4_CTX *ctx, const void *data, unsigned long size)
{
gcry_md_write(*ctx, data, size);
}
static void MD4_Final(unsigned char *result, MD4_CTX *ctx)
{
memcpy(result, gcry_md_read(*ctx, 0), MD4_DIGEST_LENGTH);
gcry_md_close(*ctx);
}
#elif defined(USE_OPENSSL) && !defined(OPENSSL_NO_MD4) #elif defined(USE_OPENSSL) && !defined(OPENSSL_NO_MD4)
/* When OpenSSL is available we use the MD4-functions from OpenSSL */ /* When OpenSSL is available we use the MD4-functions from OpenSSL */
#include <openssl/md4.h> #include <openssl/md4.h>

31
lib/md5.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -38,7 +38,7 @@
#endif #endif
#endif /* USE_MBEDTLS */ #endif /* USE_MBEDTLS */
#if defined(USE_GNUTLS_NETTLE) #if defined(USE_GNUTLS)
#include <nettle/md5.h> #include <nettle/md5.h>
#include "curl_memory.h" #include "curl_memory.h"
@ -64,33 +64,6 @@ static void MD5_Final(unsigned char *digest, MD5_CTX *ctx)
md5_digest(ctx, 16, digest); md5_digest(ctx, 16, digest);
} }
#elif defined(USE_GNUTLS)
#include <gcrypt.h>
#include "curl_memory.h"
/* The last #include file should be: */
#include "memdebug.h"
typedef gcry_md_hd_t MD5_CTX;
static void MD5_Init(MD5_CTX *ctx)
{
gcry_md_open(ctx, GCRY_MD_MD5, 0);
}
static void MD5_Update(MD5_CTX *ctx,
const unsigned char *input,
unsigned int inputLen)
{
gcry_md_write(*ctx, input, inputLen);
}
static void MD5_Final(unsigned char *digest, MD5_CTX *ctx)
{
memcpy(digest, gcry_md_read(*ctx, 0), 16);
gcry_md_close(*ctx);
}
#elif defined(USE_OPENSSL) && !defined(USE_AMISSL) #elif defined(USE_OPENSSL) && !defined(USE_AMISSL)
/* When OpenSSL is available we use the MD5-function from OpenSSL */ /* When OpenSSL is available we use the MD5-function from OpenSSL */
#include <openssl/md5.h> #include <openssl/md5.h>

42
lib/sha256.c
View File

@ -6,7 +6,7 @@
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 2017, Florin Petriuc, <petriuc.florin@gmail.com> * Copyright (C) 2017, Florin Petriuc, <petriuc.florin@gmail.com>
* Copyright (C) 2018 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 2018 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -50,11 +50,10 @@
/* Please keep the SSL backend-specific #if branches in this order: /* Please keep the SSL backend-specific #if branches in this order:
* *
* 1. USE_OPENSSL * 1. USE_OPENSSL
* 2. USE_GNUTLS_NETTLE * 2. USE_GNUTLS
* 3. USE_GNUTLS * 3. USE_MBEDTLS
* 4. USE_MBEDTLS * 4. USE_COMMON_CRYPTO
* 5. USE_COMMON_CRYPTO * 5. USE_WIN32_CRYPTO
* 6. USE_WIN32_CRYPTO
* *
* This ensures that the same SSL branch gets activated throughout this source * This ensures that the same SSL branch gets activated throughout this source
* file even if multiple backends are enabled at the same time. * file even if multiple backends are enabled at the same time.
@ -65,7 +64,7 @@
/* When OpenSSL is available we use the SHA256-function from OpenSSL */ /* When OpenSSL is available we use the SHA256-function from OpenSSL */
#include <openssl/sha.h> #include <openssl/sha.h>
#elif defined(USE_GNUTLS_NETTLE) #elif defined(USE_GNUTLS)
#include <nettle/sha.h> #include <nettle/sha.h>
@ -93,35 +92,6 @@ static void SHA256_Final(unsigned char *digest, SHA256_CTX *ctx)
sha256_digest(ctx, SHA256_DIGEST_SIZE, digest); sha256_digest(ctx, SHA256_DIGEST_SIZE, digest);
} }
#elif defined(USE_GNUTLS)
#include <gcrypt.h>
#include "curl_memory.h"
/* The last #include file should be: */
#include "memdebug.h"
typedef gcry_md_hd_t SHA256_CTX;
static void SHA256_Init(SHA256_CTX *ctx)
{
gcry_md_open(ctx, GCRY_MD_SHA256, 0);
}
static void SHA256_Update(SHA256_CTX *ctx,
const unsigned char *data,
unsigned int length)
{
gcry_md_write(*ctx, data, length);
}
static void SHA256_Final(unsigned char *digest, SHA256_CTX *ctx)
{
memcpy(digest, gcry_md_read(*ctx, 0), SHA256_DIGEST_LENGTH);
gcry_md_close(*ctx);
}
#elif defined(USE_MBEDTLS) #elif defined(USE_MBEDTLS)
#include <mbedtls/sha256.h> #include <mbedtls/sha256.h>

39
lib/vtls/gtls.c
View File

@ -35,14 +35,8 @@
#include <gnutls/abstract.h> #include <gnutls/abstract.h>
#include <gnutls/gnutls.h> #include <gnutls/gnutls.h>
#include <gnutls/x509.h> #include <gnutls/x509.h>
#ifdef USE_GNUTLS_NETTLE
#include <gnutls/crypto.h> #include <gnutls/crypto.h>
#include <nettle/md5.h>
#include <nettle/sha2.h> #include <nettle/sha2.h>
#else
#include <gcrypt.h>
#endif
#include "urldata.h" #include "urldata.h"
#include "sendf.h" #include "sendf.h"
@ -1583,39 +1577,14 @@ static size_t gtls_version(char *buffer, size_t size)
return msnprintf(buffer, size, "GnuTLS/%s", gnutls_check_version(NULL)); return msnprintf(buffer, size, "GnuTLS/%s", gnutls_check_version(NULL));
} }
#ifndef USE_GNUTLS_NETTLE
static int gtls_seed(struct Curl_easy *data)
{
/* we have the "SSL is seeded" boolean static to prevent multiple
time-consuming seedings in vain */
static bool ssl_seeded = FALSE;
/* Quickly add a bit of entropy */
gcry_fast_random_poll();
if(!ssl_seeded || data->set.str[STRING_SSL_RANDOM_FILE] ||
data->set.str[STRING_SSL_EGDSOCKET]) {
ssl_seeded = TRUE;
}
return 0;
}
#endif
/* data might be NULL! */ /* data might be NULL! */
static CURLcode gtls_random(struct Curl_easy *data, static CURLcode gtls_random(struct Curl_easy *data,
unsigned char *entropy, size_t length) unsigned char *entropy, size_t length)
{ {
#if defined(USE_GNUTLS_NETTLE)
int rc; int rc;
(void)data; (void)data;
rc = gnutls_rnd(GNUTLS_RND_RANDOM, entropy, length); rc = gnutls_rnd(GNUTLS_RND_RANDOM, entropy, length);
return rc?CURLE_FAILED_INIT:CURLE_OK; return rc?CURLE_FAILED_INIT:CURLE_OK;
#elif defined(USE_GNUTLS)
if(data)
gtls_seed(data); /* Initiate the seed if not already done */
gcry_randomize(entropy, length, GCRY_STRONG_RANDOM);
#endif
return CURLE_OK;
} }
static CURLcode gtls_sha256sum(const unsigned char *tmp, /* input */ static CURLcode gtls_sha256sum(const unsigned char *tmp, /* input */
@ -1623,18 +1592,10 @@ static CURLcode gtls_sha256sum(const unsigned char *tmp, /* input */
unsigned char *sha256sum, /* output */ unsigned char *sha256sum, /* output */
size_t sha256len) size_t sha256len)
{ {
#if defined(USE_GNUTLS_NETTLE)
struct sha256_ctx SHA256pw; struct sha256_ctx SHA256pw;
sha256_init(&SHA256pw); sha256_init(&SHA256pw);
sha256_update(&SHA256pw, (unsigned int)tmplen, tmp); sha256_update(&SHA256pw, (unsigned int)tmplen, tmp);
sha256_digest(&SHA256pw, (unsigned int)sha256len, sha256sum); sha256_digest(&SHA256pw, (unsigned int)sha256len, sha256sum);
#elif defined(USE_GNUTLS)
gcry_md_hd_t SHA256pw;
gcry_md_open(&SHA256pw, GCRY_MD_SHA256, 0);
gcry_md_write(SHA256pw, tmp, tmplen);
memcpy(sha256sum, gcry_md_read(SHA256pw, 0), sha256len);
gcry_md_close(SHA256pw);
#endif
return CURLE_OK; return CURLE_OK;
} }