-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to disable specific auths (Basic, Bearer, Digest, etc.) and non-standard like AWS. #11490
Conversation
--disable-crypto-auth is already there to disable them all, Basic notwithstanding.
|
Yeah, Basic isn't in there. And there's the case where you need NTLM but Plus this removes AWS and give the ability for fine-grained disabling of individual auths that aren't needed. |
Shouldn't this then also include ntlm and negotiate to the mix so that they all are independently controlled the same way? |
Explicitly mark which is default on @vszakats request.
|
…. This will prevent accidental use in the future.
Would it make sense to change Also, CMake is missing and the spellcheck job is failing. Apart from that, this PR looks good to me! |
…removal of `CURL_DISABLE_CRYPTO_AUTH`.
Fixed the spelling and added the CMake changes. I'm all done making the requested changes. All the tests are passing (except for some failures due to the brittleness of the tests, not the code being tested). Should be good for a final review and/or merge. Let me know if there's anything else you want me to address. |
Thanks! |
Both with configure and cmake Closes curl#11490
Follow-up to e92edfb curl#11490 Closes #xxxxx
This curl v8.4.0 update: curl/curl@e92edfb curl/curl#11490 deleted a build option we used and replaced it with multiple new ones. autotools now also has a documented defaults for them. Update our options accordingly in cmake and autotools builds.
``` ./curl/lib/http.c:737:12: warning: unused variable 'result' [-Wunused-variable] CURLcode result = CURLE_OK; ^ ./curl/lib/http.c:1143:12: warning: empty expression statement has no effect; remove unnecessary ';' to silence this warning [-Wextra-semi-stmt] ; ^ ./curl/lib/http.c:995:18: warning: variable 'availp' set but not used [-Wunused-but-set-variable] unsigned long *availp; ^ ./curl/lib/http.c:996:16: warning: variable 'authp' set but not used [-Wunused-but-set-variable] struct auth *authp; ^ ./curl/lib/http.c:979:12: warning: unused function 'is_valid_auth_separator' [-Wunused-function] static int is_valid_auth_separator(char ch) ^ 5 warnings generated. ``` Follow-up to 0d3956b curl#11895 Follow-up to e92edfb curl#11490 Closes #xxxxx
Builds with libssh2 + `-DCURL_DISABLE_DIGEST_AUTH=ON` + `-DCURL_DISABLE_AWS=ON` in combination with either Schannel on Windows, or `-DCURL_DISABLE_NTLM=ON` on other operating systems failed while compiling due to a missing HMAC declaration. The reason is that HMAC is required by `lib/sha256.c` which publishes `Curl_sha256it()` which is required by `lib/vssh/libssh2.c` when building for libssh2 v1.8.2 (2019-05-25) or older. Make sure to compile the HMAC bits for a successful build. Both HMAC and `Curl_sha256it()` rely on the same internals, so splitting them into separate sources isn't practical. Fixes: ``` [...] In file included from ./curl/_x64-win-ucrt-cmake-llvm-bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity_0_c.c:310: ./curl/lib/sha256.c:527:42: error: array has incomplete element type 'const struct HMAC_params' 527 | const struct HMAC_params Curl_HMAC_SHA256[] = { | ^ ./curl/lib/curl_sha256.h:34:21: note: forward declaration of 'struct HMAC_params' [...] ``` Regression from e92edfb #11490 Fixes #12273 Closes #12332
Fix compiler warnings in builds with disabled auths, NTLM and SPNEGO. E.g. with `CURL_DISABLE_BASIC_AUTH` + `CURL_DISABLE_BEARER_AUTH` + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_NEGOTIATE_AUTH` + `CURL_DISABLE_NTLM` on non-Windows. ``` ./curl/lib/http.c:737:12: warning: unused variable 'result' [-Wunused-variable] CURLcode result = CURLE_OK; ^ ./curl/lib/http.c:995:18: warning: variable 'availp' set but not used [-Wunused-but-set-variable] unsigned long *availp; ^ ./curl/lib/http.c:996:16: warning: variable 'authp' set but not used [-Wunused-but-set-variable] struct auth *authp; ^ ``` Regression from e92edfb #11490 Fixes #12228 Closes #12335
The commit e92edfbef644 ("lib: add ability to disable auths individually") [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party
The commit e92edfbef644 ("lib: add ability to disable auths individually") [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party
The commit e92edfbef644 ("lib: add ability to disable auths individually") [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up #9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party (cherry picked from commit c9daf9b)
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party (cherry picked from commit c9daf9b)
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up #9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party (cherry picked from commit c9daf9b)
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up #9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party (cherry picked from commit c9daf9b)
In the spirit of tiny-curl deprecated, optional, and non-standard code should be able to be compiled-out.
AWS-SIG4 is an organization-specific (namely, Amazon) chunk of code that is not applicable outside of communicating with Amazon servers. It is not standardized. Personally, I think this should be disabled by default in libCurl (and maybe even curl-cli too), but a good place to start is even adding the ability to disable it.
Digest Auth is actually a standard (unlike AWS-SIG4) but has long-since become deprecated (both by standards organizations and by end-user corporations that had previously used Digest).
Lastly, Bearer, Basic, Negotiate, and Kerberos auth types are also configurably disabled. These are all safe authentication methods, but not every user of curl / libcurl will need them. Hence, reduce compiled binary size (and executed run-time checks) when they're not needed.
This PR continues that by adding 6 configure options / defines:
This also removes the general
CURL_DISABLE_CRYPTO_AUTH
(as suggested below by @bagder ) since the specific auth-types can be disabled one-by-one.Personally, I think both Digest & AWS should be disabled by default. But this is a good start.
We already deploy and use versions of libcurl with these auths (and AWS) disabled (and have for a few years now).