Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

RE: Incoming DES headache with OpenSSL 3

From: Steve Holme via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 30 Apr 2020 03:50:29 +0000

On Tue, 24 Mar 2020, Daniel Stenberg wrote:

> The current git master of OpenSSL gives us some clues of what's going to
> happen when OpenSSL version 3 ships, planned for Q3 2020 I believe. I make a
> curl build against that every once in a while to see if anything falls over.
>
> Now for the one that gives me problems:
>
> 3. The DES functions are deprecated. Meaning they're marked as such in the
> public headers and they will cause compiler warnings when used and if we
> build curl with -Werror we get build errors.

Sorry I’ve only just seen this, so apologies for being a bit late to the party, but as you know I don’t hang out in these parts much these days and I keep getting distracted with client commitments!

> So what do we do? I can think of at least 4 different ways to go with this,
> each choice with its own set of baggage to carry:
>
>
> C) Import DES code (as we have done for MD4 and MD5) and build with that code
> when OpenSSLv3 is used.

I started work on an internal implementation of DES back in February, when I was fixing up some of the MD4 and MD5 code.

> I think I personally am in the C or D camp for the moment.

It’s still work in progress but so far I have:

* Moved the DES specific code from NTLM to the DES module
* Started writing unit tests for it
* Selected a version of DES that I believe will help us out

> D) Use another 3rd party DES lib (which?) when OpenSSLv3 is used.

I contemplated something similar as well and looked at using third-party crypto libraries, such as libcrypt, for MD4, MD5 and DES should an SSL backend not support these.

> Thoughts?

For my own personal gratification I would like to support C initially and an extended D.

Unfortunately I was rather busy with my client during March and April, racking up some hours again!

Hopefully I will get back onto curl stuff and get some contributions into the next release 😉

Kind Regards

Steve

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-04-30