From ef17e7a0e207a30b93ec7f7e5e8f88625a869b06 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 11 Dec 2024 17:36:47 +0900
Subject: [PATCH] Revert back to using GnuTLS as the TLS backend

The previous commit switched from GnuTLS to OpenSSL to avoid direct
usage of Nettle functions for NTLM, which worked but posed
user-visible incompatibilities such as PKCS#11 URI passed with
--certificate option.  This patch switches wget back to using GnuTLS
but uses non-Nettle implementation of deprecated algorithms for NTLM.

Resolves: RHEL-69748
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 wget-1.24.5-no-nettle.patch | 153 ++++++++++++++++++++++++++++++++++++
 wget.spec                   |  14 +++-
 2 files changed, 164 insertions(+), 3 deletions(-)
 create mode 100644 wget-1.24.5-no-nettle.patch

diff --git a/wget-1.24.5-no-nettle.patch b/wget-1.24.5-no-nettle.patch
new file mode 100644
index 0000000..8d25624
--- /dev/null
+++ b/wget-1.24.5-no-nettle.patch
@@ -0,0 +1,153 @@
+From 9476ce232a3dcadc205e963eb69a567f478fde95 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 11 Dec 2024 17:14:58 +0900
+Subject: [PATCH] wget-1.24.5-no-nettle.patch
+
+---
+ src/http-ntlm.c | 91 ++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 68 insertions(+), 23 deletions(-)
+
+diff --git a/src/http-ntlm.c b/src/http-ntlm.c
+index ee054e0..9f5b50e 100644
+--- a/src/http-ntlm.c
++++ b/src/http-ntlm.c
+@@ -44,13 +44,14 @@ as that of the covered work.  */
+ 
+ #include "utils.h"
+ #include "http-ntlm.h"
++#include "md4.h"
+ 
+-#ifdef HAVE_NETTLE
+-# include <nettle/md4.h>
++#ifdef HAVE_LIBGNUTLS
++# include <gnutls/crypto.h>
++#elif defined HAVE_NETTLE
+ # include <nettle/des.h>
+ #else
+ # include <openssl/des.h>
+-# include <openssl/md4.h>
+ # include <openssl/opensslv.h>
+ 
+ # if OPENSSL_VERSION_NUMBER < 0x00907001L
+@@ -164,7 +165,31 @@ ntlm_input (struct ntlmdata *ntlm, const char *header)
+  * Turns a 56 bit key into the 64 bit, odd parity key and sets the key.  The
+  * key schedule ks is also set.
+  */
+-#ifdef HAVE_NETTLE
++#ifdef HAVE_LIBGNUTLS
++static void
++setup_des_key(unsigned char *key_56,
++              gnutls_cipher_hd_t *des)
++{
++  unsigned char key[8];
++  gnutls_datum_t _key;
++  int ret;
++
++  key[0] = key_56[0];
++  key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
++  key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
++  key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
++  key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
++  key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
++  key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
++  key[7] =  (key_56[6] << 1) & 0xFF;
++
++  _key.data = key;
++  _key.size = sizeof(key);
++  ret = gnutls_cipher_init(des, GNUTLS_CIPHER_DES_CBC, &_key, NULL);
++  if (ret < 0)
++    abort ();
++}
++#elif defined HAVE_NETTLE
+ static void
+ setup_des_key(unsigned char *key_56,
+               struct des_ctx *des)
+@@ -211,7 +236,28 @@ setup_des_key(unsigned char *key_56,
+ static void
+ calc_resp(unsigned char *keys, unsigned char *plaintext, unsigned char *results)
+ {
+-#ifdef HAVE_NETTLE
++#ifdef HAVE_LIBGNUTLS
++  gnutls_cipher_hd_t des;
++  int ret;
++
++  setup_des_key(keys, &des);
++  ret = gnutls_cipher_encrypt2(des, plaintext, 8, results, 8);
++  if (ret < 0)
++    abort ();
++  gnutls_cipher_deinit(des);
++
++  setup_des_key(keys + 7, &des);
++  ret = gnutls_cipher_encrypt2(des, plaintext, 8, results + 8, 8);
++  if (ret < 0)
++    abort ();
++  gnutls_cipher_deinit(des);
++
++  setup_des_key(keys + 14, &des);
++  ret = gnutls_cipher_encrypt2(des, plaintext, 8, results + 16, 8);
++  if (ret < 0)
++    abort ();
++  gnutls_cipher_deinit(des);
++#elif defined HAVE_NETTLE
+   struct des_ctx des;
+ 
+   setup_des_key(keys, &des);
+@@ -274,7 +320,22 @@ mkhash(const char *password,
+ 
+   {
+     /* create LanManager hashed password */
+-#ifdef HAVE_NETTLE
++#ifdef HAVE_LIBGNUTLS
++    gnutls_cipher_hd_t des;
++    int ret;
++
++    setup_des_key(pw, &des);
++    ret = gnutls_cipher_encrypt2(des, magic, 8, lmbuffer, 8);
++    if (ret < 0)
++      abort ();
++    gnutls_cipher_deinit(des);
++
++    setup_des_key(pw + 7, &des);
++    ret = gnutls_cipher_encrypt2(des, magic, 8, lmbuffer + 8, 8);
++    if (ret < 0)
++      abort ();
++    gnutls_cipher_deinit(des);
++#elif defined HAVE_NETTLE
+     struct des_ctx des;
+ 
+     setup_des_key(pw, &des);
+@@ -301,12 +362,6 @@ mkhash(const char *password,
+ 
+ #ifdef USE_NTRESPONSES
+   {
+-#ifdef HAVE_NETTLE
+-    struct md4_ctx MD4;
+-#else
+-    MD4_CTX MD4;
+-#endif
+-
+     unsigned char pw4[64];
+ 
+     len = strlen (password);
+@@ -319,17 +374,7 @@ mkhash(const char *password,
+       pw4[2 * i + 1] = 0;
+     }
+ 
+-#ifdef HAVE_NETTLE
+-    nettle_md4_init(&MD4);
+-    nettle_md4_update(&MD4, (unsigned) (2 * len), pw4);
+-    nettle_md4_digest(&MD4, MD4_DIGEST_SIZE, ntbuffer);
+-#else
+-    /* create NT hashed password */
+-    MD4_Init(&MD4);
+-    MD4_Update(&MD4, pw4, 2 * len);
+-    MD4_Final(ntbuffer, &MD4);
+-#endif
+-
++    md4_buffer((const char *) pw4, (unsigned) (2 * len), ntbuffer);
+     memset(ntbuffer + 16, 0, 5);
+   }
+ 
+-- 
+2.47.0
+
diff --git a/wget.spec b/wget.spec
index 7b7604c..4b30087 100644
--- a/wget.spec
+++ b/wget.spec
@@ -1,7 +1,7 @@
 Summary: A utility for retrieving files using the HTTP or FTP protocols
 Name: wget
 Version: 1.24.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPL-3.0-or-later AND LGPL-2.1-or-later AND GFDL-1.3-or-later
 Url: http://www.gnu.org/software/wget/
 Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
@@ -9,6 +9,7 @@ Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
 Patch1: wget-1.17-path.patch
 Patch3: wget-1.21-metalink-man.patch
 Patch5: wget-1.21-CVE-2024-38428.patch
+Patch6: wget-1.24.5-no-nettle.patch
 
 Provides: webclient
 Provides: bundled(gnulib) 
@@ -18,7 +19,7 @@ BuildRequires: perl(lib)
 BuildRequires: perl(English)
 BuildRequires: perl(HTTP::Daemon)
 BuildRequires: python3
-BuildRequires: openssl-devel
+BuildRequires: gnutls-devel
 BuildRequires: pkgconfig
 BuildRequires: texinfo
 BuildRequires: gettext
@@ -31,6 +32,7 @@ BuildRequires: gpgme-devel
 BuildRequires: gcc
 BuildRequires: zlib-devel
 BuildRequires: git-core
+BuildRequires: nettle-devel
 
 %description
 GNU Wget is a file retrieval utility which can use either the HTTP or
@@ -50,11 +52,12 @@ grep "PACKAGE_STRING='wget .* (Red Hat modified)'" configure || exit 1
 
 %build
 %configure \
-    --with-ssl=openssl \
+    --with-ssl=gnutls \
     --with-libpsl \
     --enable-largefile \
     --enable-opie \
     --enable-digest \
+    --enable-ntlm \
     --enable-nls \
     --enable-ipv6 \
     --disable-rpath
@@ -80,6 +83,11 @@ make check
 %{_infodir}/*
 
 %changelog
+* Wed Dec 11 2024 Daiki Ueno <dueno@redhat.com> - 1.24.5-5
+- Revert back to using GnuTLS as the TLS backend
+- Use bundled implementation of MD4 for NTLM
+  Resolves: RHEL-69748 - wget cannot open pkcs11 uri
+
 * Thu Nov 07 2024 Michal Ruprich <mruprich@redhat.com> - 1.24.5-4
 - Resolves: RHEL-59862 - Avoid direct usage of nettle functions