From 497e7c9d3460566712b3cd81b272cde7826f264c Mon Sep 17 00:00:00 2001 From: Bill Nagel Date: Thu, 7 Jul 2016 08:40:45 -0700 Subject: [PATCH] mbedtls: Added support for NTLM --- configure.ac | 8 ++++---- docs/FAQ | 4 ++-- docs/FEATURES | 4 ++-- lib/curl_ntlm_core.c | 35 +++++++++++++++++++++++++++++++---- lib/curl_setup.h | 5 +++-- 5 files changed, 42 insertions(+), 14 deletions(-) diff --git a/configure.ac b/configure.ac index 60c99acea3..3c2fe27056 100644 --- a/configure.ac +++ b/configure.ac @@ -3697,8 +3697,8 @@ fi if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1"; then if test "x$OPENSSL_ENABLED" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \ - -o "x$GNUTLS_ENABLED" = "x1" -o "x$NSS_ENABLED" = "x1" \ - -o "x$DARWINSSL_ENABLED" = "x1"; then + -o "x$GNUTLS_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \ + -o "x$NSS_ENABLED" = "x1" -o "x$DARWINSSL_ENABLED" = "x1"; then SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM" if test "x$CURL_DISABLE_HTTP" != "x1" -a \ @@ -3770,8 +3770,8 @@ fi if test "x$CURL_DISABLE_SMB" != "x1" \ -a "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" \ -a \( "x$OPENSSL_ENABLED" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \ - -o "x$GNUTLS_ENABLED" = "x1" -o "x$NSS_ENABLED" = "x1" \ - -o "x$DARWINSSL_ENABLED" = "x1" \); then + -o "x$GNUTLS_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \ + -o "x$NSS_ENABLED" = "x1" -o "x$DARWINSSL_ENABLED" = "x1" \); then SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SMB" if test "x$SSL_ENABLED" = "x1"; then SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SMBS" diff --git a/docs/FAQ b/docs/FAQ index 681ce29279..d9e538aff4 100644 --- a/docs/FAQ +++ b/docs/FAQ @@ -968,8 +968,8 @@ FAQ 4.9 Curl can't authenticate to the server that requires NTLM? - NTLM support requires OpenSSL, GnuTLS, NSS, Secure Transport, or Microsoft - Windows libraries at build-time to provide this functionality. + NTLM support requires OpenSSL, GnuTLS, mbedTLS, NSS, Secure Transport, or + Microsoft Windows libraries at build-time to provide this functionality. NTLM is a Microsoft proprietary protocol. Proprietary formats are evil. You should not use such ones. diff --git a/docs/FEATURES b/docs/FEATURES index 10fbdd5708..24fa56dd3f 100644 --- a/docs/FEATURES +++ b/docs/FEATURES @@ -195,8 +195,8 @@ FOOTNOTES *7 = requires OpenSSL, NSS, GSKit, WinSSL or Secure Transport; GnuTLS, for example, only supports SSLv3 and TLSv1 *8 = requires libssh2 - *9 = requires OpenSSL, GnuTLS, NSS, yassl, Secure Transport or SSPI (native - Windows) + *9 = requires OpenSSL, GnuTLS, mbedTLS, NSS, yassl, Secure Transport or SSPI + (native Windows) *10 = requires any of the SSL libraries in (*1) above other than axTLS, which does not support SSLv3 *11 = requires libidn or Windows diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index f3fb01321c..4b9da2c2a0 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -76,6 +76,11 @@ # define MD5_DIGEST_LENGTH 16 # define MD4_DIGEST_LENGTH 16 +#elif defined(USE_MBEDTLS) + +# include +# include + #elif defined(USE_NSS) # include @@ -188,6 +193,26 @@ static void setup_des_key(const unsigned char *key_56, gcry_cipher_setkey(*des, key, sizeof(key)); } +#elif defined(USE_MBEDTLS) + +static bool encrypt_des(const unsigned char *in, unsigned char *out, + const unsigned char *key_56) +{ + mbedtls_des_context ctx; + char key[8]; + + /* Expand the 56-bit key to 64-bits */ + extend_key_56_to_64(key_56, key); + + /* Set the key parity to odd */ + mbedtls_des_key_set_parity((unsigned char *) key); + + /* Perform the encryption */ + mbedtls_des_init(&ctx); + mbedtls_des_setkey_enc(&ctx, (unsigned char *) key); + return mbedtls_des_crypt_ecb(&ctx, in, out) == 0; +} + #elif defined(USE_NSS) /* @@ -400,8 +425,8 @@ void Curl_ntlm_core_lm_resp(const unsigned char *keys, setup_des_key(keys + 14, &des); gcry_cipher_encrypt(des, results + 16, 8, plaintext, 8); gcry_cipher_close(des); -#elif defined(USE_NSS) || defined(USE_DARWINSSL) || defined(USE_OS400CRYPTO) \ - || defined(USE_WIN32_CRYPTO) +#elif defined(USE_MBEDTLS) || defined(USE_NSS) || defined(USE_DARWINSSL) \ + || defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) encrypt_des(plaintext, results, keys); encrypt_des(plaintext, results + 8, keys + 7); encrypt_des(plaintext, results + 16, keys + 14); @@ -464,8 +489,8 @@ CURLcode Curl_ntlm_core_mk_lm_hash(struct Curl_easy *data, setup_des_key(pw + 7, &des); gcry_cipher_encrypt(des, lmbuffer + 8, 8, magic, 8); gcry_cipher_close(des); -#elif defined(USE_NSS) || defined(USE_DARWINSSL) || defined(USE_OS400CRYPTO) \ - || defined(USE_WIN32_CRYPTO) +#elif defined(USE_MBEDTLS) || defined(USE_NSS) || defined(USE_DARWINSSL) \ + || defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) encrypt_des(magic, lmbuffer, pw); encrypt_des(magic, lmbuffer + 8, pw + 7); #endif @@ -543,6 +568,8 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, gcry_md_write(MD4pw, pw, 2 * len); memcpy (ntbuffer, gcry_md_read (MD4pw, 0), MD4_DIGEST_LENGTH); gcry_md_close(MD4pw); +#elif defined(USE_MBEDTLS) + mbedtls_md4(pw, 2 * len, ntbuffer); #elif defined(USE_NSS) || defined(USE_OS400CRYPTO) Curl_md4it(ntbuffer, pw, 2 * len); #elif defined(USE_DARWINSSL) diff --git a/lib/curl_setup.h b/lib/curl_setup.h index 7dcc4c4cdb..e585ea6a5d 100644 --- a/lib/curl_setup.h +++ b/lib/curl_setup.h @@ -634,8 +634,9 @@ int netware_init(void); /* Single point where USE_NTLM definition might be defined */ #if !defined(CURL_DISABLE_NTLM) && !defined(CURL_DISABLE_CRYPTO_AUTH) #if defined(USE_OPENSSL) || defined(USE_WINDOWS_SSPI) || \ - defined(USE_GNUTLS) || defined(USE_NSS) || defined(USE_DARWINSSL) || \ - defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) + defined(USE_GNUTLS) || defined(USE_MBEDTLS) || defined(USE_NSS) || \ + defined(USE_DARWINSSL) || defined(USE_OS400CRYPTO) || \ + defined(USE_WIN32_CRYPTO) #define USE_NTLM #endif