curl/curl
1
1
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-09-14 16:12:43 +03:00
Code Issues Packages Projects Releases Wiki Activity

lib: add ability to disable auths individually

Browse Source 
Both with configure and cmake

Closes #11490
This commit is contained in:
Wyatt O'Day 2023-07-20 10:09:04 -04:00 committed by Daniel Stenberg
parent 33dac9dfac
commit e92edfbef6
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
33 changed files with 266 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
CMakeLists.txt
View File

@ -191,8 +191,18 @@ option(CURL_DISABLE_ALTSVC "disables alt-svc support" OFF)
mark_as_advanced(CURL_DISABLE_ALTSVC) mark_as_advanced(CURL_DISABLE_ALTSVC)
option(CURL_DISABLE_COOKIES "disables cookies support" OFF) option(CURL_DISABLE_COOKIES "disables cookies support" OFF)
mark_as_advanced(CURL_DISABLE_COOKIES) mark_as_advanced(CURL_DISABLE_COOKIES)
option(CURL_DISABLE_CRYPTO_AUTH "disables cryptographic authentication" OFF) option(CURL_DISABLE_BASIC_AUTH "disables Basic authentication" OFF)
mark_as_advanced(CURL_DISABLE_CRYPTO_AUTH) mark_as_advanced(CURL_DISABLE_BASIC_AUTH)
option(CURL_DISABLE_BEARER_AUTH "disables Bearer authentication" OFF)
mark_as_advanced(CURL_DISABLE_BEARER_AUTH)
option(CURL_DISABLE_DIGEST_AUTH "disables Digest authentication" OFF)
mark_as_advanced(CURL_DISABLE_DIGEST_AUTH)
option(CURL_DISABLE_KERBEROS_AUTH "disables Kerberos authentication" OFF)
mark_as_advanced(CURL_DISABLE_KERBEROS_AUTH)
option(CURL_DISABLE_NEGOTIATE_AUTH "disables negotiate authentication" OFF)
mark_as_advanced(CURL_DISABLE_NEGOTIATE_AUTH)
option(CURL_DISABLE_AWS "disables AWS-SIG4" OFF)
mark_as_advanced(CURL_DISABLE_AWS)
option(CURL_DISABLE_DICT "disables DICT" OFF) option(CURL_DISABLE_DICT "disables DICT" OFF)
mark_as_advanced(CURL_DISABLE_DICT) mark_as_advanced(CURL_DISABLE_DICT)
option(CURL_DISABLE_DOH "disables DNS-over-HTTPS" OFF) option(CURL_DISABLE_DOH "disables DNS-over-HTTPS" OFF)
@ -1448,7 +1458,7 @@ endmacro()
# NTLM support requires crypto function adaptions from various SSL libs # NTLM support requires crypto function adaptions from various SSL libs
# TODO alternative SSL libs tests for SSP1, GNUTLS, NSS # TODO alternative SSL libs tests for SSP1, GNUTLS, NSS
if(NOT (CURL_DISABLE_CRYPTO_AUTH OR CURL_DISABLE_NTLM) AND if(NOT (CURL_DISABLE_NTLM) AND
(USE_OPENSSL OR USE_MBEDTLS OR USE_DARWINSSL OR USE_WIN32_CRYPTO OR USE_GNUTLS)) (USE_OPENSSL OR USE_MBEDTLS OR USE_DARWINSSL OR USE_WIN32_CRYPTO OR USE_GNUTLS))
set(use_curl_ntlm_core ON) set(use_curl_ntlm_core ON)
endif() endif()
@ -1471,16 +1481,16 @@ _add_if("GSS-API" HAVE_GSSAPI)
_add_if("alt-svc" NOT CURL_DISABLE_ALTSVC) _add_if("alt-svc" NOT CURL_DISABLE_ALTSVC)
_add_if("HSTS" NOT CURL_DISABLE_HSTS) _add_if("HSTS" NOT CURL_DISABLE_HSTS)
# TODO SSP1 missing for SPNEGO # TODO SSP1 missing for SPNEGO
_add_if("SPNEGO" NOT CURL_DISABLE_CRYPTO_AUTH AND _add_if("SPNEGO" NOT CURL_DISABLE_NEGOTIATE_AUTH AND
(HAVE_GSSAPI OR USE_WINDOWS_SSPI)) (HAVE_GSSAPI OR USE_WINDOWS_SSPI))
_add_if("Kerberos" NOT CURL_DISABLE_CRYPTO_AUTH AND _add_if("Kerberos" NOT CURL_DISABLE_KERBEROS_AUTH AND
(HAVE_GSSAPI OR USE_WINDOWS_SSPI)) (HAVE_GSSAPI OR USE_WINDOWS_SSPI))
# NTLM support requires crypto function adaptions from various SSL libs # NTLM support requires crypto function adaptions from various SSL libs
# TODO alternative SSL libs tests for SSP1, GNUTLS, NSS # TODO alternative SSL libs tests for SSP1, GNUTLS, NSS
_add_if("NTLM" NOT (CURL_DISABLE_CRYPTO_AUTH OR CURL_DISABLE_NTLM) AND _add_if("NTLM" NOT (CURL_DISABLE_NTLM) AND
(use_curl_ntlm_core OR USE_WINDOWS_SSPI)) (use_curl_ntlm_core OR USE_WINDOWS_SSPI))
# TODO missing option (autoconf: --enable-ntlm-wb) # TODO missing option (autoconf: --enable-ntlm-wb)
_add_if("NTLM_WB" NOT (CURL_DISABLE_CRYPTO_AUTH OR CURL_DISABLE_NTLM) AND _add_if("NTLM_WB" NOT (CURL_DISABLE_NTLM) AND
(use_curl_ntlm_core OR USE_WINDOWS_SSPI) AND (use_curl_ntlm_core OR USE_WINDOWS_SSPI) AND
NOT CURL_DISABLE_HTTP AND NTLM_WB_ENABLED) NOT CURL_DISABLE_HTTP AND NTLM_WB_ENABLED)
# TODO missing option (--enable-tls-srp), depends on GNUTLS_SRP/OPENSSL_SRP # TODO missing option (--enable-tls-srp), depends on GNUTLS_SRP/OPENSSL_SRP

117
configure.ac
View File

@ -3935,17 +3935,113 @@ AS_HELP_STRING([--disable-sspi],[Disable SSPI]),
) )
dnl ************************************************************ dnl ************************************************************
dnl disable cryptographic authentication dnl disable basic authentication
dnl dnl
AC_MSG_CHECKING([whether to enable cryptographic authentication methods]) AC_MSG_CHECKING([whether to enable basic authentication method])
AC_ARG_ENABLE(crypto-auth, AC_ARG_ENABLE(basic-auth,
AS_HELP_STRING([--enable-crypto-auth],[Enable cryptographic authentication]) AS_HELP_STRING([--enable-basic-auth],[Enable basic authentication (default)])
AS_HELP_STRING([--disable-crypto-auth],[Disable cryptographic authentication]), AS_HELP_STRING([--disable-basic-auth],[Disable basic authentication]),
[ case "$enableval" in [ case "$enableval" in
no) no)
AC_MSG_RESULT(no) AC_MSG_RESULT(no)
AC_DEFINE(CURL_DISABLE_CRYPTO_AUTH, 1, [to disable cryptographic authentication]) AC_DEFINE(CURL_DISABLE_BASIC_AUTH, 1, [to disable basic authentication])
CURL_DISABLE_CRYPTO_AUTH=1 CURL_DISABLE_BASIC_AUTH=1
;;
*) AC_MSG_RESULT(yes)
;;
esac ],
AC_MSG_RESULT(yes)
)
dnl ************************************************************
dnl disable bearer authentication
dnl
AC_MSG_CHECKING([whether to enable bearer authentication method])
AC_ARG_ENABLE(bearer-auth,
AS_HELP_STRING([--enable-bearer-auth],[Enable bearer authentication (default)])
AS_HELP_STRING([--disable-bearer-auth],[Disable bearer authentication]),
[ case "$enableval" in
no)
AC_MSG_RESULT(no)
AC_DEFINE(CURL_DISABLE_BEARER_AUTH, 1, [to disable bearer authentication])
CURL_DISABLE_BEARER_AUTH=1
;;
*) AC_MSG_RESULT(yes)
;;
esac ],
AC_MSG_RESULT(yes)
)
dnl ************************************************************
dnl disable digest authentication
dnl
AC_MSG_CHECKING([whether to enable digest authentication method])
AC_ARG_ENABLE(digest-auth,
AS_HELP_STRING([--enable-digest-auth],[Enable digest authentication (default)])
AS_HELP_STRING([--disable-digest-auth],[Disable digest authentication]),
[ case "$enableval" in
no)
AC_MSG_RESULT(no)
AC_DEFINE(CURL_DISABLE_DIGEST_AUTH, 1, [to disable digest authentication])
CURL_DISABLE_DIGEST_AUTH=1
;;
*) AC_MSG_RESULT(yes)
;;
esac ],
AC_MSG_RESULT(yes)
)
dnl ************************************************************
dnl disable kerberos authentication
dnl
AC_MSG_CHECKING([whether to enable kerberos authentication method])
AC_ARG_ENABLE(kerberos-auth,
AS_HELP_STRING([--enable-kerberos-auth],[Enable kerberos authentication (default)])
AS_HELP_STRING([--disable-kerberos-auth],[Disable kerberos authentication]),
[ case "$enableval" in
no)
AC_MSG_RESULT(no)
AC_DEFINE(CURL_DISABLE_KERBEROS_AUTH, 1, [to disable kerberos authentication])
CURL_DISABLE_KERBEROS_AUTH=1
;;
*) AC_MSG_RESULT(yes)
;;
esac ],
AC_MSG_RESULT(yes)
)
dnl ************************************************************
dnl disable negotiate authentication
dnl
AC_MSG_CHECKING([whether to enable negotiate authentication method])
AC_ARG_ENABLE(negotiate-auth,
AS_HELP_STRING([--enable-negotiate-auth],[Enable negotiate authentication (default)])
AS_HELP_STRING([--disable-negotiate-auth],[Disable negotiate authentication]),
[ case "$enableval" in
no)
AC_MSG_RESULT(no)
AC_DEFINE(CURL_DISABLE_NEGOTIATE_AUTH, 1, [to disable negotiate authentication])
CURL_DISABLE_NEGOTIATE_AUTH=1
;;
*) AC_MSG_RESULT(yes)
;;
esac ],
AC_MSG_RESULT(yes)
)
dnl ************************************************************
dnl disable aws
dnl
AC_MSG_CHECKING([whether to enable aws sig methods])
AC_ARG_ENABLE(aws,
AS_HELP_STRING([--enable-aws],[Enable AWS sig support (default)])
AS_HELP_STRING([--disable-aws],[Disable AWS sig support]),
[ case "$enableval" in
no)
AC_MSG_RESULT(no)
AC_DEFINE(CURL_DISABLE_AWS, 1, [to disable AWS sig support])
CURL_DISABLE_AWS=1
;; ;;
*) AC_MSG_RESULT(yes) *) AC_MSG_RESULT(yes)
;; ;;
@ -4498,20 +4594,19 @@ if test "x$hsts" = "xyes"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES HSTS" SUPPORT_FEATURES="$SUPPORT_FEATURES HSTS"
fi fi
if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \ if test "x$CURL_DISABLE_NEGOTIATE_AUTH" != "x1" -a \
\( "x$HAVE_GSSAPI" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \); then \( "x$HAVE_GSSAPI" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \); then
SUPPORT_FEATURES="$SUPPORT_FEATURES SPNEGO" SUPPORT_FEATURES="$SUPPORT_FEATURES SPNEGO"
fi fi
if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \ if test "x$CURL_DISABLE_KERBEROS_AUTH" != "x1" -a \
\( "x$HAVE_GSSAPI" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \); then \( "x$HAVE_GSSAPI" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \); then
SUPPORT_FEATURES="$SUPPORT_FEATURES Kerberos" SUPPORT_FEATURES="$SUPPORT_FEATURES Kerberos"
fi fi
use_curl_ntlm_core=no use_curl_ntlm_core=no
if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \ if test "x$CURL_DISABLE_NTLM" != "x1"; then
"x$CURL_DISABLE_NTLM" != "x1"; then
if test "x$OPENSSL_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \ if test "x$OPENSSL_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" \ -o "x$GNUTLS_ENABLED" = "x1" \
-o "x$SECURETRANSPORT_ENABLED" = "x1" \ -o "x$SECURETRANSPORT_ENABLED" = "x1" \

24
docs/CURL-DISABLE.md
View File

@ -12,9 +12,29 @@ Disable support for binding the local end of connections.
Disable support for HTTP cookies. Disable support for HTTP cookies.
## `CURL_DISABLE_CRYPTO_AUTH` ## `CURL_DISABLE_BASIC_AUTH`
Disable support for authentication methods using crypto. Disable support for the Basic authentication methods.
## `CURL_DISABLE_BEARER_AUTH`
Disable support for the Bearer authentication methods.
## `CURL_DISABLE_DIGEST_AUTH`
Disable support for the Digest authentication methods.
## `CURL_DISABLE_KERBEROS_AUTH`
Disable support for the Kerberos authentication methods.
## `CURL_DISABLE_NEGOTIATE_AUTH`
Disable support for the negotiate authentication methods.
## `CURL_DISABLE_AWS`
Disable **AWS-SIG4** support.
## `CURL_DISABLE_DICT` ## `CURL_DISABLE_DICT`

19
lib/curl_config.h.cmake
View File

@ -41,8 +41,23 @@
/* disables cookies support */ /* disables cookies support */
#cmakedefine CURL_DISABLE_COOKIES 1 #cmakedefine CURL_DISABLE_COOKIES 1
/* disables cryptographic authentication */ /* disables Basic authentication */
#cmakedefine CURL_DISABLE_CRYPTO_AUTH 1 #cmakedefine CURL_DISABLE_BASIC_AUTH 1
/* disables Bearer authentication */
#cmakedefine CURL_DISABLE_BEARER_AUTH 1
/* disables Digest authentication */
#cmakedefine CURL_DISABLE_DIGEST_AUTH 1
/* disables Kerberos authentication */
#cmakedefine CURL_DISABLE_KERBEROS_AUTH 1
/* disables negotiate authentication */
#cmakedefine CURL_DISABLE_NEGOTIATE_AUTH 1
/* disables AWS-SIG4 */
#cmakedefine CURL_DISABLE_AWS 1
/* disables DICT */ /* disables DICT */
#cmakedefine CURL_DISABLE_DICT 1 #cmakedefine CURL_DISABLE_DICT 1

3
lib/curl_hmac.h
View File

@ -24,7 +24,8 @@
* *
***************************************************************************/ ***************************************************************************/
#ifndef CURL_DISABLE_CRYPTO_AUTH #if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
|| !defined(CURL_DISABLE_AWS)
#include <curl/curl.h> #include <curl/curl.h>

4
lib/curl_md4.h
View File

@ -27,13 +27,13 @@
#include "curl_setup.h" #include "curl_setup.h"
#include <curl/curl.h> #include <curl/curl.h>
#if !defined(CURL_DISABLE_CRYPTO_AUTH) #if defined(USE_CURL_NTLM_CORE)
#define MD4_DIGEST_LENGTH 16 #define MD4_DIGEST_LENGTH 16
CURLcode Curl_md4it(unsigned char *output, const unsigned char *input, CURLcode Curl_md4it(unsigned char *output, const unsigned char *input,
const size_t len); const size_t len);
#endif /* !defined(CURL_DISABLE_CRYPTO_AUTH) */ #endif /* defined(USE_CURL_NTLM_CORE) */
#endif /* HEADER_CURL_MD4_H */ #endif /* HEADER_CURL_MD4_H */

4
lib/curl_md5.h
View File

@ -24,7 +24,9 @@
* *
***************************************************************************/ ***************************************************************************/
#ifndef CURL_DISABLE_CRYPTO_AUTH #if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
|| !defined(CURL_DISABLE_DIGEST_AUTH)
#include "curl_hmac.h" #include "curl_hmac.h"
#define MD5_DIGEST_LEN 16 #define MD5_DIGEST_LEN 16

8
lib/curl_sasl.c
View File

@ -420,7 +420,7 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data,
} }
else else
#endif #endif
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_DIGEST_AUTH
if((enabledmechs & SASL_MECH_DIGEST_MD5) && if((enabledmechs & SASL_MECH_DIGEST_MD5) &&
Curl_auth_is_digest_supported()) { Curl_auth_is_digest_supported()) {
mech = SASL_MECH_STRING_DIGEST_MD5; mech = SASL_MECH_STRING_DIGEST_MD5;
@ -530,8 +530,8 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data,
struct bufref resp; struct bufref resp;
const char *hostname, *disp_hostname; const char *hostname, *disp_hostname;
int port; int port;
#if !defined(CURL_DISABLE_CRYPTO_AUTH) || defined(USE_KERBEROS5) || \ #if defined(USE_KERBEROS5) || defined(USE_NTLM) \
defined(USE_NTLM) || !defined(CURL_DISABLE_DIGEST_AUTH)
const char *service = data->set.str[STRING_SERVICE_NAME] ? const char *service = data->set.str[STRING_SERVICE_NAME] ?
data->set.str[STRING_SERVICE_NAME] : data->set.str[STRING_SERVICE_NAME] :
sasl->params->service; sasl->params->service;
@ -577,7 +577,6 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data,
case SASL_EXTERNAL: case SASL_EXTERNAL:
result = Curl_auth_create_external_message(conn->user, &resp); result = Curl_auth_create_external_message(conn->user, &resp);
break; break;
#ifndef CURL_DISABLE_CRYPTO_AUTH
#ifdef USE_GSASL #ifdef USE_GSASL
case SASL_GSASL: case SASL_GSASL:
result = get_server_message(sasl, data, &serverdata); result = get_server_message(sasl, data, &serverdata);
@ -587,6 +586,7 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data,
newstate = SASL_GSASL; newstate = SASL_GSASL;
break; break;
#endif #endif
#ifndef CURL_DISABLE_DIGEST_AUTH
case SASL_CRAMMD5: case SASL_CRAMMD5:
result = get_server_message(sasl, data, &serverdata); result = get_server_message(sasl, data, &serverdata);
if(!result) if(!result)

6
lib/curl_setup.h
View File

@ -652,19 +652,19 @@
#endif #endif
/* Single point where USE_SPNEGO definition might be defined */ /* Single point where USE_SPNEGO definition might be defined */
#if !defined(CURL_DISABLE_CRYPTO_AUTH) && \ #if !defined(CURL_DISABLE_NEGOTIATE_AUTH) && \
(defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)) (defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI))
#define USE_SPNEGO #define USE_SPNEGO
#endif #endif
/* Single point where USE_KERBEROS5 definition might be defined */ /* Single point where USE_KERBEROS5 definition might be defined */
#if !defined(CURL_DISABLE_CRYPTO_AUTH) && \ #if !defined(CURL_DISABLE_KERBEROS_AUTH) && \
(defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)) (defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI))
#define USE_KERBEROS5 #define USE_KERBEROS5
#endif #endif
/* Single point where USE_NTLM definition might be defined */ /* Single point where USE_NTLM definition might be defined */
#if !defined(CURL_DISABLE_CRYPTO_AUTH) && !defined(CURL_DISABLE_NTLM) #if !defined(CURL_DISABLE_NTLM)
# if defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \ # if defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \
defined(USE_GNUTLS) || defined(USE_SECTRANSP) || \ defined(USE_GNUTLS) || defined(USE_SECTRANSP) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \ defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \

4
lib/curl_sha256.h
View File

@ -25,7 +25,9 @@
* *
***************************************************************************/ ***************************************************************************/
#ifndef CURL_DISABLE_CRYPTO_AUTH #if !defined(CURL_DISABLE_AWS) || !defined(CURL_DISABLE_DIGEST_AUTH) \
|| defined(USE_LIBSSH2)
#include <curl/curl.h> #include <curl/curl.h>
#include "curl_hmac.h" #include "curl_hmac.h"

2
lib/easy.c
View File

@ -1064,7 +1064,7 @@ void curl_easy_reset(struct Curl_easy *data)
memset(&data->state.authhost, 0, sizeof(struct auth)); memset(&data->state.authhost, 0, sizeof(struct auth));
memset(&data->state.authproxy, 0, sizeof(struct auth)); memset(&data->state.authproxy, 0, sizeof(struct auth));
#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
Curl_http_auth_cleanup_digest(data); Curl_http_auth_cleanup_digest(data);
#endif #endif
} }

5
lib/hmac.c
View File

@ -26,7 +26,8 @@
#include "curl_setup.h" #include "curl_setup.h"
#ifndef CURL_DISABLE_CRYPTO_AUTH #if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
|| !defined(CURL_DISABLE_AWS)
#include <curl/curl.h> #include <curl/curl.h>
@ -169,4 +170,4 @@ CURLcode Curl_hmacit(const struct HMAC_params *hashparams,
return CURLE_OK; return CURLE_OK;
} }
#endif /* CURL_DISABLE_CRYPTO_AUTH */ #endif /* Using NTLM (without SSPI) or AWS */

31
lib/http.c
View File

@ -341,6 +341,8 @@ char *Curl_copy_header_value(const char *header)
} }
#ifndef CURL_DISABLE_HTTP_AUTH #ifndef CURL_DISABLE_HTTP_AUTH
#ifndef CURL_DISABLE_BASIC_AUTH
/* /*
* http_output_basic() sets up an Authorization: header (or the proxy version) * http_output_basic() sets up an Authorization: header (or the proxy version)
* for HTTP Basic authentication. * for HTTP Basic authentication.
@ -402,6 +404,9 @@ fail:
return result; return result;
} }
#endif
#ifndef CURL_DISABLE_BEARER_AUTH
/* /*
* http_output_bearer() sets up an Authorization: header * http_output_bearer() sets up an Authorization: header
* for HTTP Bearer authentication. * for HTTP Bearer authentication.
@ -429,6 +434,8 @@ fail:
#endif #endif
#endif
/* pickoneauth() selects the most favourable authentication method from the /* pickoneauth() selects the most favourable authentication method from the
* ones available and the ones we want. * ones available and the ones we want.
* *
@ -445,18 +452,26 @@ static bool pickoneauth(struct auth *pick, unsigned long mask)
of preference in case of the existence of multiple accepted types. */ of preference in case of the existence of multiple accepted types. */
if(avail & CURLAUTH_NEGOTIATE) if(avail & CURLAUTH_NEGOTIATE)
pick->picked = CURLAUTH_NEGOTIATE; pick->picked = CURLAUTH_NEGOTIATE;
#ifndef CURL_DISABLE_BEARER_AUTH
else if(avail & CURLAUTH_BEARER) else if(avail & CURLAUTH_BEARER)
pick->picked = CURLAUTH_BEARER; pick->picked = CURLAUTH_BEARER;
#endif
#ifndef CURL_DISABLE_DIGEST_AUTH
else if(avail & CURLAUTH_DIGEST) else if(avail & CURLAUTH_DIGEST)
pick->picked = CURLAUTH_DIGEST; pick->picked = CURLAUTH_DIGEST;
#endif
else if(avail & CURLAUTH_NTLM) else if(avail & CURLAUTH_NTLM)
pick->picked = CURLAUTH_NTLM; pick->picked = CURLAUTH_NTLM;
else if(avail & CURLAUTH_NTLM_WB) else if(avail & CURLAUTH_NTLM_WB)
pick->picked = CURLAUTH_NTLM_WB; pick->picked = CURLAUTH_NTLM_WB;
#ifndef CURL_DISABLE_BASIC_AUTH
else if(avail & CURLAUTH_BASIC) else if(avail & CURLAUTH_BASIC)
pick->picked = CURLAUTH_BASIC; pick->picked = CURLAUTH_BASIC;
#endif
#ifndef CURL_DISABLE_AWS
else if(avail & CURLAUTH_AWS_SIGV4) else if(avail & CURLAUTH_AWS_SIGV4)
pick->picked = CURLAUTH_AWS_SIGV4; pick->picked = CURLAUTH_AWS_SIGV4;
#endif
else { else {
pick->picked = CURLAUTH_PICKNONE; /* we select to use nothing */ pick->picked = CURLAUTH_PICKNONE; /* we select to use nothing */
picked = FALSE; picked = FALSE;
@ -722,11 +737,11 @@ output_auth_headers(struct Curl_easy *data,
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
(void)conn; (void)conn;
#ifdef CURL_DISABLE_CRYPTO_AUTH #ifdef CURL_DISABLE_DIGEST_AUTH
(void)request; (void)request;
(void)path; (void)path;
#endif #endif
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_AWS
if(authstatus->picked == CURLAUTH_AWS_SIGV4) { if(authstatus->picked == CURLAUTH_AWS_SIGV4) {
auth = "AWS_SIGV4"; auth = "AWS_SIGV4";
result = Curl_output_aws_sigv4(data, proxy); result = Curl_output_aws_sigv4(data, proxy);
@ -762,7 +777,7 @@ output_auth_headers(struct Curl_easy *data,
} }
else else
#endif #endif
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_DIGEST_AUTH
if(authstatus->picked == CURLAUTH_DIGEST) { if(authstatus->picked == CURLAUTH_DIGEST) {
auth = "Digest"; auth = "Digest";
result = Curl_output_digest(data, result = Curl_output_digest(data,
@ -774,6 +789,7 @@ output_auth_headers(struct Curl_easy *data,
} }
else else
#endif #endif
#ifndef CURL_DISABLE_BASIC_AUTH
if(authstatus->picked == CURLAUTH_BASIC) { if(authstatus->picked == CURLAUTH_BASIC) {
/* Basic */ /* Basic */
if( if(
@ -793,6 +809,8 @@ output_auth_headers(struct Curl_easy *data,
functions work that way */ functions work that way */
authstatus->done = TRUE; authstatus->done = TRUE;
} }
#endif
#ifndef CURL_DISABLE_BEARER_AUTH
if(authstatus->picked == CURLAUTH_BEARER) { if(authstatus->picked == CURLAUTH_BEARER) {
/* Bearer */ /* Bearer */
if((!proxy && data->set.str[STRING_BEARER] && if((!proxy && data->set.str[STRING_BEARER] &&
@ -807,6 +825,7 @@ output_auth_headers(struct Curl_easy *data,
functions work that way */ functions work that way */
authstatus->done = TRUE; authstatus->done = TRUE;
} }
#endif
if(auth) { if(auth) {
#ifndef CURL_DISABLE_PROXY #ifndef CURL_DISABLE_PROXY
@ -1068,7 +1087,7 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy,
} }
else else
#endif #endif
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_DIGEST_AUTH
if(checkprefix("Digest", auth) && is_valid_auth_separator(auth[6])) { if(checkprefix("Digest", auth) && is_valid_auth_separator(auth[6])) {
if((authp->avail & CURLAUTH_DIGEST) != 0) if((authp->avail & CURLAUTH_DIGEST) != 0)
infof(data, "Ignoring duplicate digest auth header."); infof(data, "Ignoring duplicate digest auth header.");
@ -1091,6 +1110,7 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy,
} }
else else
#endif #endif
#ifndef CURL_DISABLE_BASIC_AUTH
if(checkprefix("Basic", auth) && if(checkprefix("Basic", auth) &&
is_valid_auth_separator(auth[5])) { is_valid_auth_separator(auth[5])) {
*availp |= CURLAUTH_BASIC; *availp |= CURLAUTH_BASIC;
@ -1105,6 +1125,8 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy,
} }
} }
else else
#endif
#ifndef CURL_DISABLE_BEARER_AUTH
if(checkprefix("Bearer", auth) && if(checkprefix("Bearer", auth) &&
is_valid_auth_separator(auth[6])) { is_valid_auth_separator(auth[6])) {
*availp |= CURLAUTH_BEARER; *availp |= CURLAUTH_BEARER;
@ -1117,6 +1139,7 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy,
data->state.authproblem = TRUE; data->state.authproblem = TRUE;
} }
} }
#endif
/* there may be multiple methods on one line, so keep reading */ /* there may be multiple methods on one line, so keep reading */
while(*auth && *auth != ',') /* read up to the next comma */ while(*auth && *auth != ',') /* read up to the next comma */

4
lib/http_aws_sigv4.c
View File

@ -24,7 +24,7 @@
#include "curl_setup.h" #include "curl_setup.h"
#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_AWS)
#include "urldata.h" #include "urldata.h"
#include "strcase.h" #include "strcase.h"
@ -646,4 +646,4 @@ fail:
return ret; return ret;
} }
#endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) */ #endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_AWS) */

2
lib/http_digest.c
View File

@ -24,7 +24,7 @@
#include "curl_setup.h" #include "curl_setup.h"
#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
#include "urldata.h" #include "urldata.h"
#include "strcase.h" #include "strcase.h"

4
lib/http_digest.h
View File

@ -25,7 +25,7 @@
***************************************************************************/ ***************************************************************************/
#include "curl_setup.h" #include "curl_setup.h"
#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
/* this is for digest header input */ /* this is for digest header input */
CURLcode Curl_input_digest(struct Curl_easy *data, CURLcode Curl_input_digest(struct Curl_easy *data,
@ -39,6 +39,6 @@ CURLcode Curl_output_digest(struct Curl_easy *data,
void Curl_http_auth_cleanup_digest(struct Curl_easy *data); void Curl_http_auth_cleanup_digest(struct Curl_easy *data);
#endif /* !CURL_DISABLE_HTTP && !CURL_DISABLE_CRYPTO_AUTH */ #endif /* !CURL_DISABLE_HTTP && !CURL_DISABLE_DIGEST_AUTH */
#endif /* HEADER_CURL_HTTP_DIGEST_H */ #endif /* HEADER_CURL_HTTP_DIGEST_H */

2
lib/ldap.c
View File

@ -239,7 +239,7 @@ static int ldap_win_bind_auth(LDAP *server, const char *user,
} }
else else
#endif #endif
#if !defined(CURL_DISABLE_CRYPTO_AUTH) #if !defined(CURL_DISABLE_DIGEST_AUTH)
if(authflags & CURLAUTH_DIGEST) { if(authflags & CURLAUTH_DIGEST) {
method = LDAP_AUTH_DIGEST; method = LDAP_AUTH_DIGEST;
} }

5
lib/md5.c
View File

@ -24,7 +24,8 @@
#include "curl_setup.h" #include "curl_setup.h"
#ifndef CURL_DISABLE_CRYPTO_AUTH #if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
|| !defined(CURL_DISABLE_DIGEST_AUTH)
#include <string.h> #include <string.h>
#include <curl/curl.h> #include <curl/curl.h>
@ -652,4 +653,4 @@ CURLcode Curl_MD5_final(struct MD5_context *context, unsigned char *result)
return CURLE_OK; return CURLE_OK;
} }
#endif /* CURL_DISABLE_CRYPTO_AUTH */ #endif /* Using NTLM (without SSPI) || Digest */

10
lib/pop3.c
View File

@ -419,7 +419,7 @@ static CURLcode pop3_perform_user(struct Curl_easy *data,
return result; return result;
} }
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_DIGEST_AUTH
/*********************************************************************** /***********************************************************************
* *
* pop3_perform_apop() * pop3_perform_apop()
@ -563,7 +563,7 @@ static CURLcode pop3_perform_authentication(struct Curl_easy *data,
} }
if(!result && progress == SASL_IDLE) { if(!result && progress == SASL_IDLE) {
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_DIGEST_AUTH
if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_APOP) if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_APOP)
/* Perform APOP authentication */ /* Perform APOP authentication */
result = pop3_perform_apop(data, conn); result = pop3_perform_apop(data, conn);
@ -831,7 +831,7 @@ static CURLcode pop3_state_auth_resp(struct Curl_easy *data,
pop3_state(data, POP3_STOP); /* Authenticated */ pop3_state(data, POP3_STOP); /* Authenticated */
break; break;
case SASL_IDLE: /* No mechanism left after cancellation */ case SASL_IDLE: /* No mechanism left after cancellation */
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_DIGEST_AUTH
if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_APOP) if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_APOP)
/* Perform APOP authentication */ /* Perform APOP authentication */
result = pop3_perform_apop(data, conn); result = pop3_perform_apop(data, conn);
@ -852,7 +852,7 @@ static CURLcode pop3_state_auth_resp(struct Curl_easy *data,
return result; return result;
} }
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_DIGEST_AUTH
/* For APOP responses */ /* For APOP responses */
static CURLcode pop3_state_apop_resp(struct Curl_easy *data, int pop3code, static CURLcode pop3_state_apop_resp(struct Curl_easy *data, int pop3code,
pop3state instate) pop3state instate)
@ -1015,7 +1015,7 @@ static CURLcode pop3_statemachine(struct Curl_easy *data,
result = pop3_state_auth_resp(data, pop3code, pop3c->state); result = pop3_state_auth_resp(data, pop3code, pop3c->state);
break; break;
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_DIGEST_AUTH
case POP3_APOP: case POP3_APOP:
result = pop3_state_apop_resp(data, pop3code, pop3c->state); result = pop3_state_apop_resp(data, pop3code, pop3c->state);
break; break;

2
lib/setopt.c
View File

@ -679,6 +679,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
break; break;
#endif #endif
#if !defined(CURL_DISABLE_AWS)
case CURLOPT_AWS_SIGV4: case CURLOPT_AWS_SIGV4:
/* /*
* String that is merged to some authentication * String that is merged to some authentication
@ -692,6 +693,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
if(data->set.str[STRING_AWS_SIGV4]) if(data->set.str[STRING_AWS_SIGV4])
data->set.httpauth = CURLAUTH_AWS_SIGV4; data->set.httpauth = CURLAUTH_AWS_SIGV4;
break; break;
#endif
case CURLOPT_REFERER: case CURLOPT_REFERER:
/* /*

5
lib/sha256.c
View File

@ -25,7 +25,8 @@
#include "curl_setup.h" #include "curl_setup.h"
#ifndef CURL_DISABLE_CRYPTO_AUTH #if !defined(CURL_DISABLE_AWS) || !defined(CURL_DISABLE_DIGEST_AUTH) \
|| defined(USE_LIBSSH2)
#include "warnless.h" #include "warnless.h"
#include "curl_sha256.h" #include "curl_sha256.h"
@ -541,4 +542,4 @@ const struct HMAC_params Curl_HMAC_SHA256[] = {
}; };
#endif /* CURL_DISABLE_CRYPTO_AUTH */ #endif /* AWS, DIGEST, or libSSH2 */

2
lib/url.c
View File

@ -414,7 +414,7 @@ CURLcode Curl_close(struct Curl_easy **datap)
Curl_hsts_cleanup(&data->hsts); Curl_hsts_cleanup(&data->hsts);
curl_slist_free_all(data->set.hstslist); /* clean up list */ curl_slist_free_all(data->set.hstslist); /* clean up list */
#endif #endif
#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
Curl_http_auth_cleanup_digest(data); Curl_http_auth_cleanup_digest(data);
#endif #endif
Curl_safefree(data->info.contenttype); Curl_safefree(data->info.contenttype);

4
lib/urldata.h
View File

@ -336,6 +336,7 @@ struct Curl_ssl_session {
#include "curl_sspi.h" #include "curl_sspi.h"
#endif #endif
#ifndef CURL_DISABLE_DIGEST_AUTH
/* Struct used for Digest challenge-response authentication */ /* Struct used for Digest challenge-response authentication */
struct digestdata { struct digestdata {
#if defined(USE_WINDOWS_SSPI) #if defined(USE_WINDOWS_SSPI)
@ -359,6 +360,7 @@ struct digestdata {
BIT(userhash); BIT(userhash);
#endif #endif
}; };
#endif
typedef enum { typedef enum {
NTLMSTATE_NONE, NTLMSTATE_NONE,
@ -1347,7 +1349,7 @@ struct UrlState {
/* storage for the previous bag^H^H^HSIGPIPE signal handler :-) */ /* storage for the previous bag^H^H^HSIGPIPE signal handler :-) */
void (*prev_signal)(int sig); void (*prev_signal)(int sig);
#endif #endif
#ifndef CURL_DISABLE_CRYPTO_AUTH #ifndef CURL_DISABLE_DIGEST_AUTH
struct digestdata digest; /* state data for host Digest auth */ struct digestdata digest; /* state data for host Digest auth */
struct digestdata proxydigest; /* state data for proxy Digest auth */ struct digestdata proxydigest; /* state data for proxy Digest auth */
#endif #endif

4
lib/vauth/cram.c
View File

@ -26,7 +26,7 @@
#include "curl_setup.h" #include "curl_setup.h"
#if !defined(CURL_DISABLE_CRYPTO_AUTH) #ifndef CURL_DISABLE_DIGEST_AUTH
#include <curl/curl.h> #include <curl/curl.h>
#include "urldata.h" #include "urldata.h"
@ -94,4 +94,4 @@ CURLcode Curl_auth_create_cram_md5_message(const struct bufref *chlg,
return CURLE_OK; return CURLE_OK;
} }
#endif /* !CURL_DISABLE_CRYPTO_AUTH */ #endif /* !CURL_DISABLE_DIGEST_AUTH */

4
lib/vauth/digest.c
View File

@ -27,7 +27,7 @@
#include "curl_setup.h" #include "curl_setup.h"
#if !defined(CURL_DISABLE_CRYPTO_AUTH) #ifndef CURL_DISABLE_DIGEST_AUTH
#include <curl/curl.h> #include <curl/curl.h>
@ -992,4 +992,4 @@ void Curl_auth_digest_cleanup(struct digestdata *digest)
} }
#endif /* !USE_WINDOWS_SSPI */ #endif /* !USE_WINDOWS_SSPI */
#endif /* CURL_DISABLE_CRYPTO_AUTH */ #endif /* !CURL_DISABLE_DIGEST_AUTH */

2
lib/vauth/digest.h
View File

@ -26,7 +26,7 @@
#include <curl/curl.h> #include <curl/curl.h>
#if !defined(CURL_DISABLE_CRYPTO_AUTH) #ifndef CURL_DISABLE_DIGEST_AUTH
#define DIGEST_MAX_VALUE_LENGTH 256 #define DIGEST_MAX_VALUE_LENGTH 256
#define DIGEST_MAX_CONTENT_LENGTH 1024 #define DIGEST_MAX_CONTENT_LENGTH 1024

4
lib/vauth/digest_sspi.c
View File

@ -27,7 +27,7 @@
#include "curl_setup.h" #include "curl_setup.h"
#if defined(USE_WINDOWS_SSPI) && !defined(CURL_DISABLE_CRYPTO_AUTH) #if defined(USE_WINDOWS_SSPI) && !defined(CURL_DISABLE_DIGEST_AUTH)
#include <curl/curl.h> #include <curl/curl.h>
@ -665,4 +665,4 @@ void Curl_auth_digest_cleanup(struct digestdata *digest)
Curl_safefree(digest->passwd); Curl_safefree(digest->passwd);
} }
#endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_CRYPTO_AUTH */ #endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_DIGEST_AUTH */

6
lib/vauth/vauth.h
View File

@ -30,7 +30,7 @@
struct Curl_easy; struct Curl_easy;
#if !defined(CURL_DISABLE_CRYPTO_AUTH) #if !defined(CURL_DISABLE_DIGEST_AUTH)
struct digestdata; struct digestdata;
#endif #endif
@ -86,7 +86,7 @@ CURLcode Curl_auth_create_login_message(const char *value,
CURLcode Curl_auth_create_external_message(const char *user, CURLcode Curl_auth_create_external_message(const char *user,
struct bufref *out); struct bufref *out);
#if !defined(CURL_DISABLE_CRYPTO_AUTH) #ifndef CURL_DISABLE_DIGEST_AUTH
/* This is used to generate a CRAM-MD5 response message */ /* This is used to generate a CRAM-MD5 response message */
CURLcode Curl_auth_create_cram_md5_message(const struct bufref *chlg, CURLcode Curl_auth_create_cram_md5_message(const struct bufref *chlg,
const char *userp, const char *userp,
@ -119,7 +119,7 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
/* This is used to clean up the digest specific data */ /* This is used to clean up the digest specific data */
void Curl_auth_digest_cleanup(struct digestdata *digest); void Curl_auth_digest_cleanup(struct digestdata *digest);
#endif /* !CURL_DISABLE_CRYPTO_AUTH */ #endif /* !CURL_DISABLE_DIGEST_AUTH */
#ifdef USE_GSASL #ifdef USE_GSASL
/* This is used to evaluate if MECH is supported by gsasl */ /* This is used to evaluate if MECH is supported by gsasl */

3
packages/vms/generate_config_vms_h_curl.com
View File

@ -237,9 +237,6 @@ $!
$write cvh "#ifdef CURL_DISABLE_COOKIES" $write cvh "#ifdef CURL_DISABLE_COOKIES"
$write cvh "#undef CURL_DISABLE_COOKIES" $write cvh "#undef CURL_DISABLE_COOKIES"
$write cvh "#endif" $write cvh "#endif"
$write cvh "#ifdef CURL_DISABLE_CRYPTO_AUTH"
$write cvh "#undef CURL_DISABLE_CRYPTO_AUTH"
$write cvh "#endif"
$write cvh "#ifdef CURL_DISABLE_DICT" $write cvh "#ifdef CURL_DISABLE_DICT"
$write cvh "#undef CURL_DISABLE_DICT" $write cvh "#undef CURL_DISABLE_DICT"
$write cvh "#endif" $write cvh "#endif"

16
tests/server/disabled.c
View File

@ -43,8 +43,20 @@ static const char *disabled[]={
#ifdef CURL_DISABLE_COOKIES #ifdef CURL_DISABLE_COOKIES
"cookies", "cookies",
#endif #endif
#ifdef CURL_DISABLE_CRYPTO_AUTH #ifdef CURL_DISABLE_BASIC_AUTH
"crypto", "basic-auth",
#endif
#ifdef CURL_DISABLE_BEARER_AUTH
"bearer-auth",
#endif
#ifdef CURL_DISABLE_DIGEST_AUTH
"digest-auth",
#endif
#ifdef CURL_DISABLE_NEGOTIATE_AUTH
"negotiate-auth",
#endif
#ifdef CURL_DISABLE_AWS
"aws",
#endif #endif
#ifdef CURL_DISABLE_DOH #ifdef CURL_DISABLE_DOH
"DoH", "DoH",

4
tests/unit/unit1601.c
View File

@ -37,7 +37,9 @@ static void unit_stop(void)
UNITTEST_START UNITTEST_START
#ifndef CURL_DISABLE_CRYPTO_AUTH #if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
|| !defined(CURL_DISABLE_DIGEST_AUTH)
const char string1[] = "1"; const char string1[] = "1";
const char string2[] = "hello-you-fool"; const char string2[] = "hello-you-fool";
unsigned char output[MD5_DIGEST_LEN]; unsigned char output[MD5_DIGEST_LEN];

4
tests/unit/unit1610.c
View File

@ -39,7 +39,9 @@ static void unit_stop(void)
UNITTEST_START UNITTEST_START
#ifndef CURL_DISABLE_CRYPTO_AUTH #if !defined(CURL_DISABLE_AWS) || !defined(CURL_DISABLE_DIGEST_AUTH) \
|| defined(USE_LIBSSH2)
const char string1[] = "1"; const char string1[] = "1";
const char string2[] = "hello-you-fool"; const char string2[] = "hello-you-fool";
unsigned char output[SHA256_DIGEST_LENGTH]; unsigned char output[SHA256_DIGEST_LENGTH];

4
tests/unit/unit1612.c
View File

@ -38,7 +38,9 @@ static void unit_stop(void)
UNITTEST_START UNITTEST_START
#ifndef CURL_DISABLE_CRYPTO_AUTH #if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
|| !defined(CURL_DISABLE_DIGEST_AUTH)
const char password[] = "Pa55worD"; const char password[] = "Pa55worD";
const char string1[] = "1"; const char string1[] = "1";
const char string2[] = "hello-you-fool"; const char string2[] = "hello-you-fool";