mirror of
https://github.com/moparisthebest/curl
synced 2024-11-12 04:25:08 -05:00
gnutls: assume nettle crypto support
nettle has been the default crypto library with GnuTLS since 2010. By dropping support for the previous libcrypto, we simplify code. Closes #6625
This commit is contained in:
parent
692faeab9f
commit
e06fa7462a
17
configure.ac
17
configure.ac
@ -2228,26 +2228,15 @@ if test "$GNUTLS_ENABLED" = "1"; then
|
||||
USE_GNUTLS_NETTLE=
|
||||
# First check if we can detect either crypto library via transitive linking
|
||||
AC_CHECK_LIB(gnutls, nettle_MD5Init, [ USE_GNUTLS_NETTLE=1 ])
|
||||
if test "$USE_GNUTLS_NETTLE" = ""; then
|
||||
AC_CHECK_LIB(gnutls, gcry_control, [ USE_GNUTLS_NETTLE=0 ])
|
||||
fi
|
||||
|
||||
# If not, try linking directly to both of them to see if they are available
|
||||
if test "$USE_GNUTLS_NETTLE" = ""; then
|
||||
AC_CHECK_LIB(nettle, nettle_MD5Init, [ USE_GNUTLS_NETTLE=1 ])
|
||||
fi
|
||||
if test "$USE_GNUTLS_NETTLE" = ""; then
|
||||
AC_CHECK_LIB(gcrypt, gcry_control, [ USE_GNUTLS_NETTLE=0 ])
|
||||
fi
|
||||
if test "$USE_GNUTLS_NETTLE" = ""; then
|
||||
AC_MSG_ERROR([GnuTLS found, but neither gcrypt nor nettle found])
|
||||
fi
|
||||
if test "$USE_GNUTLS_NETTLE" = "1"; then
|
||||
AC_DEFINE(USE_GNUTLS_NETTLE, 1, [if GnuTLS uses nettle as crypto backend])
|
||||
AC_SUBST(USE_GNUTLS_NETTLE, [1])
|
||||
LIBS="-lnettle $LIBS"
|
||||
else
|
||||
LIBS="-lgcrypt $LIBS"
|
||||
AC_MSG_ERROR([GnuTLS found, but nettle was not found])
|
||||
fi
|
||||
LIBS="-lnettle $LIBS"
|
||||
fi
|
||||
|
||||
dnl ---
|
||||
|
@ -5,7 +5,7 @@
|
||||
* | (__| |_| | _ <| |___
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
* Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
* Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
@ -34,13 +34,12 @@
|
||||
/* Please keep the SSL backend-specific #if branches in this order:
|
||||
|
||||
1. USE_OPENSSL
|
||||
2. USE_GNUTLS_NETTLE
|
||||
3. USE_GNUTLS
|
||||
4. USE_NSS
|
||||
5. USE_MBEDTLS
|
||||
6. USE_SECTRANSP
|
||||
7. USE_OS400CRYPTO
|
||||
8. USE_WIN32_CRYPTO
|
||||
2. USE_GNUTLS
|
||||
3. USE_NSS
|
||||
4. USE_MBEDTLS
|
||||
5. USE_SECTRANSP
|
||||
6. USE_OS400CRYPTO
|
||||
7. USE_WIN32_CRYPTO
|
||||
|
||||
This ensures that:
|
||||
- the same SSL branch gets activated throughout this source
|
||||
@ -74,13 +73,9 @@
|
||||
# define DESKEY(x) &x
|
||||
# endif
|
||||
|
||||
#elif defined(USE_GNUTLS_NETTLE)
|
||||
|
||||
# include <nettle/des.h>
|
||||
|
||||
#elif defined(USE_GNUTLS)
|
||||
|
||||
# include <gcrypt.h>
|
||||
# include <nettle/des.h>
|
||||
|
||||
#elif defined(USE_NSS)
|
||||
|
||||
@ -159,7 +154,7 @@ static void setup_des_key(const unsigned char *key_56,
|
||||
DES_set_key(&key, ks);
|
||||
}
|
||||
|
||||
#elif defined(USE_GNUTLS_NETTLE)
|
||||
#elif defined(USE_GNUTLS)
|
||||
|
||||
static void setup_des_key(const unsigned char *key_56,
|
||||
struct des_ctx *des)
|
||||
@ -176,26 +171,6 @@ static void setup_des_key(const unsigned char *key_56,
|
||||
des_set_key(des, (const uint8_t *) key);
|
||||
}
|
||||
|
||||
#elif defined(USE_GNUTLS)
|
||||
|
||||
/*
|
||||
* Turns a 56 bit key into the 64 bit, odd parity key and sets the key.
|
||||
*/
|
||||
static void setup_des_key(const unsigned char *key_56,
|
||||
gcry_cipher_hd_t *des)
|
||||
{
|
||||
char key[8];
|
||||
|
||||
/* Expand the 56-bit key to 64-bits */
|
||||
extend_key_56_to_64(key_56, key);
|
||||
|
||||
/* Set the key parity to odd */
|
||||
Curl_des_set_odd_parity((unsigned char *) key, sizeof(key));
|
||||
|
||||
/* Set the key */
|
||||
gcry_cipher_setkey(*des, key, sizeof(key));
|
||||
}
|
||||
|
||||
#elif defined(USE_NSS)
|
||||
|
||||
/*
|
||||
@ -402,7 +377,7 @@ void Curl_ntlm_core_lm_resp(const unsigned char *keys,
|
||||
setup_des_key(keys + 14, DESKEY(ks));
|
||||
DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results + 16),
|
||||
DESKEY(ks), DES_ENCRYPT);
|
||||
#elif defined(USE_GNUTLS_NETTLE)
|
||||
#elif defined(USE_GNUTLS)
|
||||
struct des_ctx des;
|
||||
setup_des_key(keys, &des);
|
||||
des_encrypt(&des, 8, results, plaintext);
|
||||
@ -410,23 +385,6 @@ void Curl_ntlm_core_lm_resp(const unsigned char *keys,
|
||||
des_encrypt(&des, 8, results + 8, plaintext);
|
||||
setup_des_key(keys + 14, &des);
|
||||
des_encrypt(&des, 8, results + 16, plaintext);
|
||||
#elif defined(USE_GNUTLS)
|
||||
gcry_cipher_hd_t des;
|
||||
|
||||
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
|
||||
setup_des_key(keys, &des);
|
||||
gcry_cipher_encrypt(des, results, 8, plaintext, 8);
|
||||
gcry_cipher_close(des);
|
||||
|
||||
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
|
||||
setup_des_key(keys + 7, &des);
|
||||
gcry_cipher_encrypt(des, results + 8, 8, plaintext, 8);
|
||||
gcry_cipher_close(des);
|
||||
|
||||
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
|
||||
setup_des_key(keys + 14, &des);
|
||||
gcry_cipher_encrypt(des, results + 16, 8, plaintext, 8);
|
||||
gcry_cipher_close(des);
|
||||
#elif defined(USE_NSS) || defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \
|
||||
|| defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
|
||||
encrypt_des(plaintext, results, keys);
|
||||
@ -473,24 +431,12 @@ CURLcode Curl_ntlm_core_mk_lm_hash(struct Curl_easy *data,
|
||||
setup_des_key(pw + 7, DESKEY(ks));
|
||||
DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer + 8),
|
||||
DESKEY(ks), DES_ENCRYPT);
|
||||
#elif defined(USE_GNUTLS_NETTLE)
|
||||
#elif defined(USE_GNUTLS)
|
||||
struct des_ctx des;
|
||||
setup_des_key(pw, &des);
|
||||
des_encrypt(&des, 8, lmbuffer, magic);
|
||||
setup_des_key(pw + 7, &des);
|
||||
des_encrypt(&des, 8, lmbuffer + 8, magic);
|
||||
#elif defined(USE_GNUTLS)
|
||||
gcry_cipher_hd_t des;
|
||||
|
||||
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
|
||||
setup_des_key(pw, &des);
|
||||
gcry_cipher_encrypt(des, lmbuffer, 8, magic, 8);
|
||||
gcry_cipher_close(des);
|
||||
|
||||
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
|
||||
setup_des_key(pw + 7, &des);
|
||||
gcry_cipher_encrypt(des, lmbuffer + 8, 8, magic, 8);
|
||||
gcry_cipher_close(des);
|
||||
#elif defined(USE_NSS) || defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \
|
||||
|| defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
|
||||
encrypt_des(magic, lmbuffer, pw);
|
||||
|
31
lib/md4.c
31
lib/md4.c
@ -5,7 +5,7 @@
|
||||
* | (__| |_| | _ <| |___
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
* Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
* Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
@ -44,7 +44,7 @@
|
||||
#endif
|
||||
#endif /* USE_MBEDTLS */
|
||||
|
||||
#if defined(USE_GNUTLS_NETTLE)
|
||||
#if defined(USE_GNUTLS)
|
||||
|
||||
#include <nettle/md4.h>
|
||||
|
||||
@ -70,33 +70,6 @@ static void MD4_Final(unsigned char *result, MD4_CTX *ctx)
|
||||
md4_digest(ctx, MD4_DIGEST_SIZE, result);
|
||||
}
|
||||
|
||||
#elif defined(USE_GNUTLS)
|
||||
|
||||
#include <gcrypt.h>
|
||||
|
||||
#include "curl_memory.h"
|
||||
|
||||
/* The last #include file should be: */
|
||||
#include "memdebug.h"
|
||||
|
||||
typedef gcry_md_hd_t MD4_CTX;
|
||||
|
||||
static void MD4_Init(MD4_CTX *ctx)
|
||||
{
|
||||
gcry_md_open(ctx, GCRY_MD_MD4, 0);
|
||||
}
|
||||
|
||||
static void MD4_Update(MD4_CTX *ctx, const void *data, unsigned long size)
|
||||
{
|
||||
gcry_md_write(*ctx, data, size);
|
||||
}
|
||||
|
||||
static void MD4_Final(unsigned char *result, MD4_CTX *ctx)
|
||||
{
|
||||
memcpy(result, gcry_md_read(*ctx, 0), MD4_DIGEST_LENGTH);
|
||||
gcry_md_close(*ctx);
|
||||
}
|
||||
|
||||
#elif defined(USE_OPENSSL) && !defined(OPENSSL_NO_MD4)
|
||||
/* When OpenSSL is available we use the MD4-functions from OpenSSL */
|
||||
#include <openssl/md4.h>
|
||||
|
31
lib/md5.c
31
lib/md5.c
@ -5,7 +5,7 @@
|
||||
* | (__| |_| | _ <| |___
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
* Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
* Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
@ -38,7 +38,7 @@
|
||||
#endif
|
||||
#endif /* USE_MBEDTLS */
|
||||
|
||||
#if defined(USE_GNUTLS_NETTLE)
|
||||
#if defined(USE_GNUTLS)
|
||||
|
||||
#include <nettle/md5.h>
|
||||
#include "curl_memory.h"
|
||||
@ -64,33 +64,6 @@ static void MD5_Final(unsigned char *digest, MD5_CTX *ctx)
|
||||
md5_digest(ctx, 16, digest);
|
||||
}
|
||||
|
||||
#elif defined(USE_GNUTLS)
|
||||
|
||||
#include <gcrypt.h>
|
||||
#include "curl_memory.h"
|
||||
/* The last #include file should be: */
|
||||
#include "memdebug.h"
|
||||
|
||||
typedef gcry_md_hd_t MD5_CTX;
|
||||
|
||||
static void MD5_Init(MD5_CTX *ctx)
|
||||
{
|
||||
gcry_md_open(ctx, GCRY_MD_MD5, 0);
|
||||
}
|
||||
|
||||
static void MD5_Update(MD5_CTX *ctx,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen)
|
||||
{
|
||||
gcry_md_write(*ctx, input, inputLen);
|
||||
}
|
||||
|
||||
static void MD5_Final(unsigned char *digest, MD5_CTX *ctx)
|
||||
{
|
||||
memcpy(digest, gcry_md_read(*ctx, 0), 16);
|
||||
gcry_md_close(*ctx);
|
||||
}
|
||||
|
||||
#elif defined(USE_OPENSSL) && !defined(USE_AMISSL)
|
||||
/* When OpenSSL is available we use the MD5-function from OpenSSL */
|
||||
#include <openssl/md5.h>
|
||||
|
42
lib/sha256.c
42
lib/sha256.c
@ -6,7 +6,7 @@
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
* Copyright (C) 2017, Florin Petriuc, <petriuc.florin@gmail.com>
|
||||
* Copyright (C) 2018 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
* Copyright (C) 2018 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
@ -50,11 +50,10 @@
|
||||
/* Please keep the SSL backend-specific #if branches in this order:
|
||||
*
|
||||
* 1. USE_OPENSSL
|
||||
* 2. USE_GNUTLS_NETTLE
|
||||
* 3. USE_GNUTLS
|
||||
* 4. USE_MBEDTLS
|
||||
* 5. USE_COMMON_CRYPTO
|
||||
* 6. USE_WIN32_CRYPTO
|
||||
* 2. USE_GNUTLS
|
||||
* 3. USE_MBEDTLS
|
||||
* 4. USE_COMMON_CRYPTO
|
||||
* 5. USE_WIN32_CRYPTO
|
||||
*
|
||||
* This ensures that the same SSL branch gets activated throughout this source
|
||||
* file even if multiple backends are enabled at the same time.
|
||||
@ -65,7 +64,7 @@
|
||||
/* When OpenSSL is available we use the SHA256-function from OpenSSL */
|
||||
#include <openssl/sha.h>
|
||||
|
||||
#elif defined(USE_GNUTLS_NETTLE)
|
||||
#elif defined(USE_GNUTLS)
|
||||
|
||||
#include <nettle/sha.h>
|
||||
|
||||
@ -93,35 +92,6 @@ static void SHA256_Final(unsigned char *digest, SHA256_CTX *ctx)
|
||||
sha256_digest(ctx, SHA256_DIGEST_SIZE, digest);
|
||||
}
|
||||
|
||||
#elif defined(USE_GNUTLS)
|
||||
|
||||
#include <gcrypt.h>
|
||||
|
||||
#include "curl_memory.h"
|
||||
|
||||
/* The last #include file should be: */
|
||||
#include "memdebug.h"
|
||||
|
||||
typedef gcry_md_hd_t SHA256_CTX;
|
||||
|
||||
static void SHA256_Init(SHA256_CTX *ctx)
|
||||
{
|
||||
gcry_md_open(ctx, GCRY_MD_SHA256, 0);
|
||||
}
|
||||
|
||||
static void SHA256_Update(SHA256_CTX *ctx,
|
||||
const unsigned char *data,
|
||||
unsigned int length)
|
||||
{
|
||||
gcry_md_write(*ctx, data, length);
|
||||
}
|
||||
|
||||
static void SHA256_Final(unsigned char *digest, SHA256_CTX *ctx)
|
||||
{
|
||||
memcpy(digest, gcry_md_read(*ctx, 0), SHA256_DIGEST_LENGTH);
|
||||
gcry_md_close(*ctx);
|
||||
}
|
||||
|
||||
#elif defined(USE_MBEDTLS)
|
||||
|
||||
#include <mbedtls/sha256.h>
|
||||
|
@ -35,14 +35,8 @@
|
||||
#include <gnutls/abstract.h>
|
||||
#include <gnutls/gnutls.h>
|
||||
#include <gnutls/x509.h>
|
||||
|
||||
#ifdef USE_GNUTLS_NETTLE
|
||||
#include <gnutls/crypto.h>
|
||||
#include <nettle/md5.h>
|
||||
#include <nettle/sha2.h>
|
||||
#else
|
||||
#include <gcrypt.h>
|
||||
#endif
|
||||
|
||||
#include "urldata.h"
|
||||
#include "sendf.h"
|
||||
@ -1583,39 +1577,14 @@ static size_t gtls_version(char *buffer, size_t size)
|
||||
return msnprintf(buffer, size, "GnuTLS/%s", gnutls_check_version(NULL));
|
||||
}
|
||||
|
||||
#ifndef USE_GNUTLS_NETTLE
|
||||
static int gtls_seed(struct Curl_easy *data)
|
||||
{
|
||||
/* we have the "SSL is seeded" boolean static to prevent multiple
|
||||
time-consuming seedings in vain */
|
||||
static bool ssl_seeded = FALSE;
|
||||
|
||||
/* Quickly add a bit of entropy */
|
||||
gcry_fast_random_poll();
|
||||
|
||||
if(!ssl_seeded || data->set.str[STRING_SSL_RANDOM_FILE] ||
|
||||
data->set.str[STRING_SSL_EGDSOCKET]) {
|
||||
ssl_seeded = TRUE;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* data might be NULL! */
|
||||
static CURLcode gtls_random(struct Curl_easy *data,
|
||||
unsigned char *entropy, size_t length)
|
||||
{
|
||||
#if defined(USE_GNUTLS_NETTLE)
|
||||
int rc;
|
||||
(void)data;
|
||||
rc = gnutls_rnd(GNUTLS_RND_RANDOM, entropy, length);
|
||||
return rc?CURLE_FAILED_INIT:CURLE_OK;
|
||||
#elif defined(USE_GNUTLS)
|
||||
if(data)
|
||||
gtls_seed(data); /* Initiate the seed if not already done */
|
||||
gcry_randomize(entropy, length, GCRY_STRONG_RANDOM);
|
||||
#endif
|
||||
return CURLE_OK;
|
||||
}
|
||||
|
||||
static CURLcode gtls_sha256sum(const unsigned char *tmp, /* input */
|
||||
@ -1623,18 +1592,10 @@ static CURLcode gtls_sha256sum(const unsigned char *tmp, /* input */
|
||||
unsigned char *sha256sum, /* output */
|
||||
size_t sha256len)
|
||||
{
|
||||
#if defined(USE_GNUTLS_NETTLE)
|
||||
struct sha256_ctx SHA256pw;
|
||||
sha256_init(&SHA256pw);
|
||||
sha256_update(&SHA256pw, (unsigned int)tmplen, tmp);
|
||||
sha256_digest(&SHA256pw, (unsigned int)sha256len, sha256sum);
|
||||
#elif defined(USE_GNUTLS)
|
||||
gcry_md_hd_t SHA256pw;
|
||||
gcry_md_open(&SHA256pw, GCRY_MD_SHA256, 0);
|
||||
gcry_md_write(SHA256pw, tmp, tmplen);
|
||||
memcpy(sha256sum, gcry_md_read(SHA256pw, 0), sha256len);
|
||||
gcry_md_close(SHA256pw);
|
||||
#endif
|
||||
return CURLE_OK;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user