Menu

#1439 cannot compile curl with OpenSSL lacking DES support

closed-invalid
Daniel Stenberg
openssl (9) des (1) ntlm (4)
5
2015-03-29
2014-10-24
Mark Kubacki
No

I stumbled upon this while compiling CURL with a stripped-down OpenSSL:

Curl lacks in "curl_ntlm_core.c" (and perhaps other places) detection if OpenSSL has been compiled without DES (and perhaps DSA, or RSA). Such compilations take place on memory-constrained systems, or if the release manager has decided not to include those old ciphers (you don't need DSA in OpenSSL for ECDSA).

For example:

openssl:

./Configure linux-x86_64 no-des

curl:

./configure --enable-http --with-ssl --without-ntlm --disable-ntlm # I tried!
make

libtool: compile: x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I../include/curl -I../include -I../include -I../lib -I../lib -DBUILDING_LIBCURL -DCURL_HIDDEN_SYMBOLS -fvisibility=hidden -O2 -Wno-system-headers -pthread -c curl_ntlm_core.c -fPIC -DPIC -o .libs/libcurl_la-curl_ntlm_core.o
curl_ntlm_core.c:37:29: fatal error: openssl/des.h: No such file or directory
# include <openssl des.h="">
^
compilation terminated.

Discussion

  • Mark Kubacki

    Mark Kubacki - 2014-10-24

    A workaround is adding to lib/curl_setup.h:

    #if !defined(USE_OPENSSL) || !defined(OPENSSL_NO_DES)
#define USE_NTLM
#endif
     

  • Daniel Stenberg

    Daniel Stenberg - 2014-10-25
    • summary: cannot compile curl without NTLM (OpenSSL without DES) --> cannot compile curl with OpenSSL lacking DES support
    • assigned_to: Daniel Stenberg
     

  • Steve Holme

    Steve Holme - 2014-12-31

    To assist with this I had a go at reproducing the problem under Windows so I compiled my OpenSSL with no-des and also had the same issue.

    The problem with trying to fix this in curl_setup.h is that USE_NTLM gets defined at line 628 depending on which cryptography / SSL engine has been defined in the makefile or project files and at this point we don't include the OpenSSL include files which is what is needed for opensslconf.h to be included (where OPENSSL_NO_DES is defined).

    We could fix this for configure based builds if a) we support a --disable-ntlm / --without-ntlm option, b) detected OPENSSL_NO_DES from opensslconf.h or c) detected the DES_* functions. For any of these we could define CURL_DISABLE_NTLM. However, the problem would still exist under Windows and other platforms that don't use configure :(

    I couldn't think of a quick fix that would support different platforms which didn't involve including OpenSSL header files from curl_setup.h :(

     

  • Steve Holme

    Steve Holme - 2015-02-02

    I think the recent changes to configure.ac might partially fix this as we have currently disabled NTLM for BoringSSL based builds.

    However, curl may report that it is building against BoringSSL instead. Just a theory as I don't personally don't build OpenSSL on configure based systems so can't really test.

    Daniel: I meant to discuss this with you in person over the weekend and with our busy schedule I unfortunately forgot :( Is it possible to detect OPENSSL_NO_DES in configure.ac and set a new HAVE_DES pre-processor variable set accordingly? I appreciate this won't fix the issue under Windows but then someone who needs that could override HAVE_DES in config-win32.h or similar.

     

  • Daniel Stenberg

    Daniel Stenberg - 2015-02-04

    I wouldn't be hard to do, no.

    But: OpenSSL has an API and we already fight pretty hard to use it and to adjust to its changes over time. I do not think we need to add to our work load to also support when using deliberately break the API.

    I am thus -1 on supporting this build-time option in OpenSSL. I don't want to spend any of my time on it.

     

  • Daniel Stenberg

    Daniel Stenberg - 2015-03-29
    • status: open --> closed-invalid
     

  • Daniel Stenberg

    Daniel Stenberg - 2015-03-29

    I'm closing this now since this is not strictly a bug. We just don't support very custom OpenSSL builds. I could be talked into accepting patches that introduce support for this however.