NTLM: disable if DES support missing from OpenSSL or mbedTLS

Make autotools and cmake detect DES support in OpenSSL and mbedTLS. Forward feature macros to C and omit NTLM from the feature preview list. Use the feature macros in source. This ensure that `-V` output matches the preview. OpenSSL doesn't support DES when built with `no-des` or `no-deprecated`. mbedTLS 4.x no longer supports it, and it's possible to disable it in <4 with `scripts/config.py unset MBEDTLS_DES_C`. Before this patch this worked for mbedTLS 4 only, and with a regression for pending PR #16973. Also: - drop NTLM feature check from `curl_setup.h` in favour of autotools/ cmake feature macros. This makes `curl_setup.h` no longer need to include an mbedTLS header, which in turn makes tests/server build without depending on mbedTLS. Fixing, in #16973: ``` In file included from tests/server/first.h:40, from bld/tests/server/servers.c:3: lib/curl_setup.h:741:10: fatal error: mbedtls/version.h: No such file or directory 741 | #include <mbedtls/version.h> | ^~~~~~~~~~~~~~~~~~~ ``` Ref: https://github.com/curl/curl/actions/runs/18689537893/job/53291322012?pr=16973 Ref: #19181 (initial fix idea) Follow-up to 3a305831d1 #19077 - move back mbedTLS header include and version check from `curl_setup.h` to each source which consumes mbedTLS. - GHA/http3-linux: drop workaround that disabled NTLM for `no-deprecated` OpenSSL builds. Follow-up to 006977859d #12384 - curl_ntlm_core: drop pointless macro `CURL_NTLM_NOT_SUPPORTED`. Follow-up to 006977859d #12384 Closes #19206
2026-04-14 22:41:40 +03:00 · 2025-10-23 22:08:53 +02:00 · 2025-10-23 22:08:53 +02:00 · 4a6fbd5e1d
commit 4a6fbd5e1d
parent 1de4a9a5fb
12 changed files with 95 additions and 79 deletions
--- a/.github/workflows/http3-linux.yml
+++ b/.github/workflows/http3-linux.yml
@ -334,8 +334,7 @@ jobs:
            PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            configure: >-
              LDFLAGS=-Wl,-rpath,/home/runner/openssl/build/lib
-              --with-ngtcp2 --disable-ntlm
+              --with-openssl=/home/runner/openssl/build --with-ngtcp2 --enable-ssls-export
              --with-openssl=/home/runner/openssl/build --enable-ssls-export
          - name: 'openssl'
            install_steps: skipall
@ -343,7 +342,6 @@ jobs:
            generate: >-
              -DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON
              -DCURL_DISABLE_LDAP=ON
              -DCURL_DISABLE_NTLM=ON
              -DCMAKE_UNITY_BUILD=ON
          - name: 'libressl'
@ -351,29 +349,25 @@ jobs:
            PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            configure: >-
              LDFLAGS=-Wl,-rpath,/home/runner/libressl/build/lib
-              --with-ngtcp2 --disable-ntlm
+              --with-openssl=/home/runner/libressl/build --with-ngtcp2 --enable-ssls-export
              --with-openssl=/home/runner/libressl/build --enable-ssls-export
              --enable-unity
          - name: 'libressl'
            PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            generate: >-
-              -DOPENSSL_ROOT_DIR=/home/runner/libressl/build
+              -DOPENSSL_ROOT_DIR=/home/runner/libressl/build -DUSE_NGTCP2=ON
              -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
          - name: 'awslc'
            install_steps: skipall
            PKG_CONFIG_PATH: /home/runner/awslc/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            configure: >-
              LDFLAGS=-Wl,-rpath,/home/runner/awslc/build/lib
-              --with-ngtcp2 --disable-ntlm
+              --with-openssl=/home/runner/awslc/build --with-ngtcp2 --enable-ssls-export
              --with-openssl=/home/runner/awslc/build --enable-ssls-export
          - name: 'awslc'
            PKG_CONFIG_PATH: /home/runner/awslc/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            generate: >-
-              -DOPENSSL_ROOT_DIR=/home/runner/awslc/build -DBUILD_SHARED_LIBS=OFF
+              -DOPENSSL_ROOT_DIR=/home/runner/awslc/build -DUSE_NGTCP2=ON -DBUILD_SHARED_LIBS=OFF
              -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
              -DCMAKE_UNITY_BUILD=ON
          - name: 'boringssl'
@ -381,14 +375,12 @@ jobs:
            PKG_CONFIG_PATH: /home/runner/boringssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2-boringssl/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            configure: >-
              LDFLAGS=-Wl,-rpath,/home/runner/boringssl/build/lib
-              --with-ngtcp2 --disable-ntlm
+              --with-openssl=/home/runner/boringssl/build --with-ngtcp2 --enable-ssls-export
              --with-openssl=/home/runner/boringssl/build --enable-ssls-export
          - name: 'boringssl'
            PKG_CONFIG_PATH: /home/runner/boringssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2-boringssl/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            generate: >-
-              -DOPENSSL_ROOT_DIR=/home/runner/boringssl/build -DBUILD_SHARED_LIBS=OFF
+              -DOPENSSL_ROOT_DIR=/home/runner/boringssl/build -DUSE_NGTCP2=ON -DBUILD_SHARED_LIBS=OFF
              -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
              -DCMAKE_UNITY_BUILD=ON
          - name: 'gnutls'
@ -397,15 +389,13 @@ jobs:
            PKG_CONFIG_PATH: /home/runner/gnutls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            configure: >-
              LDFLAGS=-Wl,-rpath,/home/runner/gnutls/build/lib
-              --with-ngtcp2
+              --with-gnutls=/home/runner/gnutls/build --with-ngtcp2 --enable-ssls-export
              --with-gnutls=/home/runner/gnutls/build --enable-ssls-export
          - name: 'gnutls'
            install_packages: nettle-dev libp11-kit-dev
            PKG_CONFIG_PATH: /home/runner/gnutls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            generate: >-
-              -DCURL_USE_GNUTLS=ON
+              -DCURL_USE_GNUTLS=ON -DUSE_NGTCP2=ON
              -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON
              -DCMAKE_UNITY_BUILD=ON
          - name: 'wolfssl'
@ -413,9 +403,7 @@ jobs:
            PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            configure: >-
              LDFLAGS=-Wl,-rpath,/home/runner/wolfssl/build/lib
-              --with-ngtcp2
+              --with-wolfssl=/home/runner/wolfssl/build --with-ngtcp2 --enable-ech --enable-ssls-export
              --with-wolfssl=/home/runner/wolfssl/build
              --enable-ech --enable-ssls-export
              --enable-unity
          - name: 'wolfssl'
@ -429,7 +417,6 @@ jobs:
            PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
            configure: >-
              LDFLAGS=-Wl,-rpath,/home/runner/openssl/build/lib
              --disable-ntlm
              --with-openssl=/home/runner/openssl/build --with-openssl-quic
          - name: 'openssl-quic'
@ -437,7 +424,6 @@ jobs:
            generate: >-
              -DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_OPENSSL_QUIC=ON
              -DCURL_DISABLE_LDAP=ON
              -DCURL_DISABLE_NTLM=ON
              -DCMAKE_UNITY_BUILD=ON
          - name: 'quiche'
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -868,6 +868,18 @@ if(CURL_USE_MBEDTLS)
    set(_valid_default_ssl_backend TRUE)
  endif()
  set(_curl_ca_bundle_supported TRUE)
  if(MBEDTLS_VERSION VERSION_GREATER_EQUAL 4.0.0)
    set(HAVE_MBEDTLS_DES_CRYPT_ECB 0)  # pre-fill detection result
  endif()
  if(NOT DEFINED HAVE_MBEDTLS_DES_CRYPT_ECB)
    cmake_push_check_state()
    list(APPEND CMAKE_REQUIRED_INCLUDES "${MBEDTLS_INCLUDE_DIRS}")
    list(APPEND CMAKE_REQUIRED_LIBRARIES "${MBEDTLS_LIBRARIES}")
    curl_required_libpaths("${MBEDTLS_LIBRARY_DIRS}")
    check_function_exists("mbedtls_des_crypt_ecb" HAVE_MBEDTLS_DES_CRYPT_ECB)  # in mbedTLS <4
    cmake_pop_check_state()
  endif()
 endif()
 if(CURL_USE_WOLFSSL)
@ -1075,6 +1087,9 @@ if(USE_WOLFSSL)
 endif()
 if(USE_OPENSSL)
  if(NOT DEFINED HAVE_DES_ECB_ENCRYPT)
    curl_openssl_check_exists("DES_ecb_encrypt" "openssl/des.h" HAVE_DES_ECB_ENCRYPT)
  endif()
  if(NOT DEFINED HAVE_SSL_SET0_WBIO)
    curl_openssl_check_exists("SSL_set0_wbio" HAVE_SSL_SET0_WBIO)
  endif()
@ -2079,8 +2094,8 @@ endmacro()
 # NTLM support requires crypto functions from various SSL libs.
 # These conditions must match those in lib/curl_setup.h.
 if(NOT CURL_DISABLE_NTLM AND
-   (USE_OPENSSL OR
+   ((USE_OPENSSL AND HAVE_DES_ECB_ENCRYPT) OR
-    (USE_MBEDTLS AND MBEDTLS_VERSION VERSION_LESS 4.0.0) OR
+    (USE_MBEDTLS AND HAVE_MBEDTLS_DES_CRYPT_ECB) OR
    USE_GNUTLS OR
    USE_WIN32_CRYPTO OR
    (USE_WOLFSSL AND HAVE_WOLFSSL_DES_ECB_ENCRYPT)))
--- a/configure.ac
+++ b/configure.ac
@ -5252,12 +5252,11 @@ fi
 use_curl_ntlm_core=no
 if test "x$CURL_DISABLE_NTLM" != "x1"; then
-  if test "x$OPENSSL_ENABLED" = "x1" \
+  if test "x$HAVE_DES_ECB_ENCRYPT" = "x1" \
      -o "x$GNUTLS_ENABLED" = "x1" \
      -o "x$USE_WIN32_CRYPTO" = "x1" \
-      -o "x$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "x1"; then
+      -o "x$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "x1" \
-    use_curl_ntlm_core=yes
+      -o "x$HAVE_MBEDTLS_DES_CRYPT_ECB" = "x1"; then
  elif test "x$MBEDTLS_ENABLED" = "x1" && test "$mbedtls_4" = "0"; then
    use_curl_ntlm_core=yes
  fi
--- a/docs/INSTALL-CMAKE.md
+++ b/docs/INSTALL-CMAKE.md
@ -491,9 +491,11 @@ the parent project, ideally in the "extra" find package redirect file:
 Available variables:
 - `HAVE_DES_ECB_ENCRYPT`:                   `DES_ecb_encrypt` present in OpenSSL (or fork).
 - `HAVE_GNUTLS_SRP`:                        `gnutls_srp_verifier` present in GnuTLS.
 - `HAVE_LDAP_INIT_FD`:                      `ldap_init_fd` present in LDAP library.
 - `HAVE_LDAP_URL_PARSE`:                    `ldap_url_parse` present in LDAP library.
 - `HAVE_MBEDTLS_DES_CRYPT_ECB`:             `mbedtls_des_crypt_ecb` present in mbedTLS <4.
 - `HAVE_OPENSSL_SRP`:                       `SSL_CTX_set_srp_username` present in OpenSSL (or fork).
 - `HAVE_QUICHE_CONN_SET_QLOG_FD`:           `quiche_conn_set_qlog_fd` present in quiche.
 - `HAVE_RUSTLS_SUPPORTED_HPKE`:             `rustls_supported_hpke` present in Rustls (unused if Rustls is detected via `pkg-config`).
--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
@ -673,6 +673,9 @@ ${SIZEOF_TIME_T_CODE}
 /* if mbedTLS is enabled */
 #cmakedefine USE_MBEDTLS 1
 /* if mbedTLS <4 has the mbedtls_des_crypt_ecb function. */
 #cmakedefine HAVE_MBEDTLS_DES_CRYPT_ECB 1
 /* if Rustls is enabled */
 #cmakedefine USE_RUSTLS 1
@ -801,7 +804,10 @@ ${SIZEOF_TIME_T_CODE}
 #cmakedefine USE_ECH 1
 /* Define to 1 if you have the wolfSSL_CTX_GenerateEchConfig function. */
-#cmakedefine HAVE_WOLFSSL_CTX_GENERATEECHCONFIG
+#cmakedefine HAVE_WOLFSSL_CTX_GENERATEECHCONFIG 1
 /* Define to 1 if you have the SSL_set1_ech_config_list function. */
-#cmakedefine HAVE_SSL_SET1_ECH_CONFIG_LIST
+#cmakedefine HAVE_SSL_SET1_ECH_CONFIG_LIST 1
 /* Define to 1 if OpenSSL has the DES_ecb_encrypt function. */
 #cmakedefine HAVE_DES_ECB_ENCRYPT 1
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@ -50,21 +50,19 @@
     in NTLM type-3 messages.
 */
-#ifdef USE_OPENSSL
+#ifdef USE_MBEDTLS
-  #include <openssl/opensslconf.h>
+#include <mbedtls/version.h>
-  #if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#if MBEDTLS_VERSION_NUMBER < 0x03020000
-    #define USE_OPENSSL_DES
+  #error "mbedTLS 3.2.0 or later required"
-  #endif
+#endif
-#elif defined(USE_WOLFSSL)
+#endif
-  #include <wolfssl/options.h>
+
-  #ifndef NO_DES3
+#if defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT)
-    #define USE_OPENSSL_DES
+  #define USE_OPENSSL_DES
-  #endif
+#elif defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT)
-#elif defined(USE_MBEDTLS)
+  #define USE_OPENSSL_DES
-  #include <mbedtls/version.h>
+#elif defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)
-  #if MBEDTLS_VERSION_NUMBER < 0x04000000
+  #define USE_MBEDTLS_DES
    #define USE_MBEDTLS_DES
  #endif
 #endif
 #ifdef USE_OPENSSL_DES
@ -79,6 +77,7 @@
 #  endif
 #  define DESKEY(x) &x
 #else
 #  include <wolfssl/options.h>
 #  include <wolfssl/openssl/des.h>
 #  include <wolfssl/openssl/md5.h>
 #  include <wolfssl/openssl/ssl.h>
@ -111,7 +110,6 @@
 #  include <wincrypt.h>
 #else
 #  error "cannot compile NTLM support without a crypto library with DES."
 #  define CURL_NTLM_NOT_SUPPORTED
 #endif
 #include "urldata.h"
@ -128,7 +126,6 @@
 #include "curl_memory.h"
 #include "memdebug.h"
 #ifndef CURL_NTLM_NOT_SUPPORTED
 /*
 * Turns a 56-bit key into being 64-bit wide.
 */
@ -143,7 +140,6 @@ static void extend_key_56_to_64(const unsigned char *key_56, char *key)
  key[6] = (char)(((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6));
  key[7] = (char) ((key_56[6] << 1) & 0xFF);
 }
 #endif
 #ifdef USE_OPENSSL_DES
 /*
@ -328,11 +324,9 @@ CURLcode Curl_ntlm_core_mk_lm_hash(const char *password,
                                   unsigned char *lmbuffer /* 21 bytes */)
 {
  unsigned char pw[14];
 #ifndef CURL_NTLM_NOT_SUPPORTED
  static const unsigned char magic[] = {
    0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 /* i.e. KGS!@#$% */
  };
 #endif
  size_t len = CURLMIN(strlen(password), 14);
  Curl_strntoupper((char *)pw, password, len);
--- a/lib/curl_setup.h
+++ b/lib/curl_setup.h
@ -737,13 +737,6 @@
 #  endif
 #endif
 #ifdef USE_MBEDTLS
 #include <mbedtls/version.h>
 #if MBEDTLS_VERSION_NUMBER < 0x03020000
  #error "mbedTLS 3.2.0 or later required"
 #endif
 #endif
 #if defined(USE_WOLFSSL) && defined(USE_GNUTLS)
 /* Avoid defining unprefixed wolfSSL SHA macros colliding with nettle ones */
 #define NO_OLD_WC_NAMES
@ -763,9 +756,9 @@
 /* Single point where USE_NTLM definition might be defined */
 #ifndef CURL_DISABLE_NTLM
-#  if defined(USE_OPENSSL) ||                                           \
+#  if (defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT)) ||        \
  defined(USE_GNUTLS) ||                                                \
-  (defined(USE_MBEDTLS) && MBEDTLS_VERSION_NUMBER < 0x04000000) ||      \
+  (defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)) ||      \
  defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) ||              \
  (defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT))
 #    define USE_CURL_NTLM_CORE
--- a/lib/md5.c
+++ b/lib/md5.c
@ -49,6 +49,10 @@
 #endif
 #ifdef USE_MBEDTLS
  #include <mbedtls/version.h>
  #if MBEDTLS_VERSION_NUMBER < 0x03020000
    #error "mbedTLS 3.2.0 or later required"
  #endif
  #include <psa/crypto_config.h>
  #if defined(PSA_WANT_ALG_MD5) && PSA_WANT_ALG_MD5  /* mbedTLS 4+ */
    #define USE_MBEDTLS_MD5
--- a/lib/sha256.c
+++ b/lib/sha256.c
@ -33,6 +33,10 @@
 #include "curl_hmac.h"
 #ifdef USE_MBEDTLS
  #include <mbedtls/version.h>
  #if MBEDTLS_VERSION_NUMBER < 0x03020000
    #error "mbedTLS 3.2.0 or later required"
  #endif
  #include <psa/crypto_config.h>
  #if defined(PSA_WANT_ALG_SHA_256) && PSA_WANT_ALG_SHA_256  /* mbedTLS 4+ */
    #define USE_MBEDTLS_SHA256
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@ -37,6 +37,9 @@
 /* #define MBEDTLS_DEBUG */
 #include <mbedtls/version.h>
 #if MBEDTLS_VERSION_NUMBER < 0x03020000
  #error "mbedTLS 3.2.0 or later required"
 #endif
 #include <psa/crypto_config.h>
 #include <mbedtls/net_sockets.h>
 #include <mbedtls/ssl.h>
--- a/m4/curl-mbedtls.m4
+++ b/m4/curl-mbedtls.m4
@ -107,24 +107,11 @@ if test "x$OPT_MBEDTLS" != xno; then
        LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE mbedtls mbedx509 mbedcrypto"
      fi
-      mbedtls_4=0
+      dnl Check DES support in mbedTLS <4.
-      AC_MSG_CHECKING([for mbedTLS >= v4])
+      AC_CHECK_FUNCS(mbedtls_des_crypt_ecb)
-      AC_COMPILE_IFELSE([
+      if test "$ac_cv_func_mbedtls_des_crypt_ecb" = 'yes'; then
-        AC_LANG_PROGRAM([[
+        HAVE_MBEDTLS_DES_CRYPT_ECB=1
-          #include <mbedtls/version.h>
+      fi
        ]],[[
          #if (MBEDTLS_VERSION_NUMBER >= 0x04000000)
          return 0;
          #else
          #error older than 4
          #endif
        ]])
      ],[
        mbedtls_4=1
        AC_MSG_RESULT([yes])
      ],[
        AC_MSG_RESULT([no])
      ])
    fi
  fi dnl mbedTLS not disabled
--- a/m4/curl-openssl.m4
+++ b/m4/curl-openssl.m4
@ -340,6 +340,29 @@ if test X"$OPT_OPENSSL" != Xno &&
  AC_MSG_ERROR([--with-openssl was given but OpenSSL could not be detected])
 fi
 dnl ---
 dnl We check OpenSSL for DES support.
 dnl ---
 if test "$OPENSSL_ENABLED" = "1"; then
  AC_MSG_CHECKING([for DES support in OpenSSL])
  AC_LINK_IFELSE([
    AC_LANG_PROGRAM([[
      #ifndef OPENSSL_SUPPRESS_DEPRECATED
      #define OPENSSL_SUPPRESS_DEPRECATED
      #endif
      #include <openssl/des.h>
    ]],[[
      DES_ecb_encrypt(0, 0, 0, DES_ENCRYPT);
    ]])
  ],[
    AC_MSG_RESULT([yes])
    AC_DEFINE(HAVE_DES_ECB_ENCRYPT, 1, [if you have the function DES_ecb_encrypt])
    HAVE_DES_ECB_ENCRYPT=1
  ],[
    AC_MSG_RESULT([no])
  ])
 fi
 dnl ---
 dnl We require OpenSSL with SRP support.
 dnl ---