diff --git a/CMakeLists.txt b/CMakeLists.txt index cb2290d9c51631..bc42c6a628a412 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -191,8 +191,18 @@ option(CURL_DISABLE_ALTSVC "disables alt-svc support" OFF) mark_as_advanced(CURL_DISABLE_ALTSVC) option(CURL_DISABLE_COOKIES "disables cookies support" OFF) mark_as_advanced(CURL_DISABLE_COOKIES) -option(CURL_DISABLE_CRYPTO_AUTH "disables cryptographic authentication" OFF) -mark_as_advanced(CURL_DISABLE_CRYPTO_AUTH) +option(CURL_DISABLE_BASIC_AUTH "disables Basic authentication" OFF) +mark_as_advanced(CURL_DISABLE_BASIC_AUTH) +option(CURL_DISABLE_BEARER_AUTH "disables Bearer authentication" OFF) +mark_as_advanced(CURL_DISABLE_BEARER_AUTH) +option(CURL_DISABLE_DIGEST_AUTH "disables Digest authentication" OFF) +mark_as_advanced(CURL_DISABLE_DIGEST_AUTH) +option(CURL_DISABLE_KERBEROS_AUTH "disables Kerberos authentication" OFF) +mark_as_advanced(CURL_DISABLE_KERBEROS_AUTH) +option(CURL_DISABLE_NEGOTIATE_AUTH "disables negotiate authentication" OFF) +mark_as_advanced(CURL_DISABLE_NEGOTIATE_AUTH) +option(CURL_DISABLE_AWS "disables AWS-SIG4" OFF) +mark_as_advanced(CURL_DISABLE_AWS) option(CURL_DISABLE_DICT "disables DICT" OFF) mark_as_advanced(CURL_DISABLE_DICT) option(CURL_DISABLE_DOH "disables DNS-over-HTTPS" OFF) @@ -1448,7 +1458,7 @@ endmacro() # NTLM support requires crypto function adaptions from various SSL libs # TODO alternative SSL libs tests for SSP1, GNUTLS, NSS -if(NOT (CURL_DISABLE_CRYPTO_AUTH OR CURL_DISABLE_NTLM) AND +if(NOT (CURL_DISABLE_NTLM) AND (USE_OPENSSL OR USE_MBEDTLS OR USE_DARWINSSL OR USE_WIN32_CRYPTO OR USE_GNUTLS)) set(use_curl_ntlm_core ON) endif() @@ -1471,16 +1481,16 @@ _add_if("GSS-API" HAVE_GSSAPI) _add_if("alt-svc" NOT CURL_DISABLE_ALTSVC) _add_if("HSTS" NOT CURL_DISABLE_HSTS) # TODO SSP1 missing for SPNEGO -_add_if("SPNEGO" NOT CURL_DISABLE_CRYPTO_AUTH AND +_add_if("SPNEGO" NOT CURL_DISABLE_NEGOTIATE_AUTH AND (HAVE_GSSAPI OR USE_WINDOWS_SSPI)) -_add_if("Kerberos" NOT CURL_DISABLE_CRYPTO_AUTH AND +_add_if("Kerberos" NOT CURL_DISABLE_KERBEROS_AUTH AND (HAVE_GSSAPI OR USE_WINDOWS_SSPI)) # NTLM support requires crypto function adaptions from various SSL libs # TODO alternative SSL libs tests for SSP1, GNUTLS, NSS -_add_if("NTLM" NOT (CURL_DISABLE_CRYPTO_AUTH OR CURL_DISABLE_NTLM) AND +_add_if("NTLM" NOT (CURL_DISABLE_NTLM) AND (use_curl_ntlm_core OR USE_WINDOWS_SSPI)) # TODO missing option (autoconf: --enable-ntlm-wb) -_add_if("NTLM_WB" NOT (CURL_DISABLE_CRYPTO_AUTH OR CURL_DISABLE_NTLM) AND +_add_if("NTLM_WB" NOT (CURL_DISABLE_NTLM) AND (use_curl_ntlm_core OR USE_WINDOWS_SSPI) AND NOT CURL_DISABLE_HTTP AND NTLM_WB_ENABLED) # TODO missing option (--enable-tls-srp), depends on GNUTLS_SRP/OPENSSL_SRP diff --git a/configure.ac b/configure.ac index 0aa6daafd2a219..5c57b41d0b326f 100644 --- a/configure.ac +++ b/configure.ac @@ -3935,17 +3935,113 @@ AS_HELP_STRING([--disable-sspi],[Disable SSPI]), ) dnl ************************************************************ -dnl disable cryptographic authentication +dnl disable basic authentication dnl -AC_MSG_CHECKING([whether to enable cryptographic authentication methods]) -AC_ARG_ENABLE(crypto-auth, -AS_HELP_STRING([--enable-crypto-auth],[Enable cryptographic authentication]) -AS_HELP_STRING([--disable-crypto-auth],[Disable cryptographic authentication]), +AC_MSG_CHECKING([whether to enable basic authentication method]) +AC_ARG_ENABLE(basic-auth, +AS_HELP_STRING([--enable-basic-auth],[Enable basic authentication (default)]) +AS_HELP_STRING([--disable-basic-auth],[Disable basic authentication]), [ case "$enableval" in no) AC_MSG_RESULT(no) - AC_DEFINE(CURL_DISABLE_CRYPTO_AUTH, 1, [to disable cryptographic authentication]) - CURL_DISABLE_CRYPTO_AUTH=1 + AC_DEFINE(CURL_DISABLE_BASIC_AUTH, 1, [to disable basic authentication]) + CURL_DISABLE_BASIC_AUTH=1 + ;; + *) AC_MSG_RESULT(yes) + ;; + esac ], + AC_MSG_RESULT(yes) +) + +dnl ************************************************************ +dnl disable bearer authentication +dnl +AC_MSG_CHECKING([whether to enable bearer authentication method]) +AC_ARG_ENABLE(bearer-auth, +AS_HELP_STRING([--enable-bearer-auth],[Enable bearer authentication (default)]) +AS_HELP_STRING([--disable-bearer-auth],[Disable bearer authentication]), +[ case "$enableval" in + no) + AC_MSG_RESULT(no) + AC_DEFINE(CURL_DISABLE_BEARER_AUTH, 1, [to disable bearer authentication]) + CURL_DISABLE_BEARER_AUTH=1 + ;; + *) AC_MSG_RESULT(yes) + ;; + esac ], + AC_MSG_RESULT(yes) +) + +dnl ************************************************************ +dnl disable digest authentication +dnl +AC_MSG_CHECKING([whether to enable digest authentication method]) +AC_ARG_ENABLE(digest-auth, +AS_HELP_STRING([--enable-digest-auth],[Enable digest authentication (default)]) +AS_HELP_STRING([--disable-digest-auth],[Disable digest authentication]), +[ case "$enableval" in + no) + AC_MSG_RESULT(no) + AC_DEFINE(CURL_DISABLE_DIGEST_AUTH, 1, [to disable digest authentication]) + CURL_DISABLE_DIGEST_AUTH=1 + ;; + *) AC_MSG_RESULT(yes) + ;; + esac ], + AC_MSG_RESULT(yes) +) + +dnl ************************************************************ +dnl disable kerberos authentication +dnl +AC_MSG_CHECKING([whether to enable kerberos authentication method]) +AC_ARG_ENABLE(kerberos-auth, +AS_HELP_STRING([--enable-kerberos-auth],[Enable kerberos authentication (default)]) +AS_HELP_STRING([--disable-kerberos-auth],[Disable kerberos authentication]), +[ case "$enableval" in + no) + AC_MSG_RESULT(no) + AC_DEFINE(CURL_DISABLE_KERBEROS_AUTH, 1, [to disable kerberos authentication]) + CURL_DISABLE_KERBEROS_AUTH=1 + ;; + *) AC_MSG_RESULT(yes) + ;; + esac ], + AC_MSG_RESULT(yes) +) + +dnl ************************************************************ +dnl disable negotiate authentication +dnl +AC_MSG_CHECKING([whether to enable negotiate authentication method]) +AC_ARG_ENABLE(negotiate-auth, +AS_HELP_STRING([--enable-negotiate-auth],[Enable negotiate authentication (default)]) +AS_HELP_STRING([--disable-negotiate-auth],[Disable negotiate authentication]), +[ case "$enableval" in + no) + AC_MSG_RESULT(no) + AC_DEFINE(CURL_DISABLE_NEGOTIATE_AUTH, 1, [to disable negotiate authentication]) + CURL_DISABLE_NEGOTIATE_AUTH=1 + ;; + *) AC_MSG_RESULT(yes) + ;; + esac ], + AC_MSG_RESULT(yes) +) + + +dnl ************************************************************ +dnl disable aws +dnl +AC_MSG_CHECKING([whether to enable aws sig methods]) +AC_ARG_ENABLE(aws, +AS_HELP_STRING([--enable-aws],[Enable AWS sig support (default)]) +AS_HELP_STRING([--disable-aws],[Disable AWS sig support]), +[ case "$enableval" in + no) + AC_MSG_RESULT(no) + AC_DEFINE(CURL_DISABLE_AWS, 1, [to disable AWS sig support]) + CURL_DISABLE_AWS=1 ;; *) AC_MSG_RESULT(yes) ;; @@ -4498,20 +4594,19 @@ if test "x$hsts" = "xyes"; then SUPPORT_FEATURES="$SUPPORT_FEATURES HSTS" fi -if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \ +if test "x$CURL_DISABLE_NEGOTIATE_AUTH" != "x1" -a \ \( "x$HAVE_GSSAPI" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \); then SUPPORT_FEATURES="$SUPPORT_FEATURES SPNEGO" fi -if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \ +if test "x$CURL_DISABLE_KERBEROS_AUTH" != "x1" -a \ \( "x$HAVE_GSSAPI" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \); then SUPPORT_FEATURES="$SUPPORT_FEATURES Kerberos" fi use_curl_ntlm_core=no -if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \ - "x$CURL_DISABLE_NTLM" != "x1"; then +if test "x$CURL_DISABLE_NTLM" != "x1"; then if test "x$OPENSSL_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \ -o "x$GNUTLS_ENABLED" = "x1" \ -o "x$SECURETRANSPORT_ENABLED" = "x1" \ diff --git a/docs/CURL-DISABLE.md b/docs/CURL-DISABLE.md index 83186ff5d2091e..7978ed2125a5b4 100644 --- a/docs/CURL-DISABLE.md +++ b/docs/CURL-DISABLE.md @@ -12,9 +12,29 @@ Disable support for binding the local end of connections. Disable support for HTTP cookies. -## `CURL_DISABLE_CRYPTO_AUTH` +## `CURL_DISABLE_BASIC_AUTH` -Disable support for authentication methods using crypto. +Disable support for the Basic authentication methods. + +## `CURL_DISABLE_BEARER_AUTH` + +Disable support for the Bearer authentication methods. + +## `CURL_DISABLE_DIGEST_AUTH` + +Disable support for the Digest authentication methods. + +## `CURL_DISABLE_KERBEROS_AUTH` + +Disable support for the Kerberos authentication methods. + +## `CURL_DISABLE_NEGOTIATE_AUTH` + +Disable support for the negotiate authentication methods. + +## `CURL_DISABLE_AWS` + +Disable **AWS-SIG4** support. ## `CURL_DISABLE_DICT` diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake index 4cfc2ec2563299..8e76b00070a1cb 100644 --- a/lib/curl_config.h.cmake +++ b/lib/curl_config.h.cmake @@ -41,8 +41,23 @@ /* disables cookies support */ #cmakedefine CURL_DISABLE_COOKIES 1 -/* disables cryptographic authentication */ -#cmakedefine CURL_DISABLE_CRYPTO_AUTH 1 +/* disables Basic authentication */ +#cmakedefine CURL_DISABLE_BASIC_AUTH 1 + +/* disables Bearer authentication */ +#cmakedefine CURL_DISABLE_BEARER_AUTH 1 + +/* disables Digest authentication */ +#cmakedefine CURL_DISABLE_DIGEST_AUTH 1 + +/* disables Kerberos authentication */ +#cmakedefine CURL_DISABLE_KERBEROS_AUTH 1 + +/* disables negotiate authentication */ +#cmakedefine CURL_DISABLE_NEGOTIATE_AUTH 1 + +/* disables AWS-SIG4 */ +#cmakedefine CURL_DISABLE_AWS 1 /* disables DICT */ #cmakedefine CURL_DISABLE_DICT 1 diff --git a/lib/curl_hmac.h b/lib/curl_hmac.h index 11625c0cb42c7c..9438ca782a797e 100644 --- a/lib/curl_hmac.h +++ b/lib/curl_hmac.h @@ -24,7 +24,8 @@ * ***************************************************************************/ -#ifndef CURL_DISABLE_CRYPTO_AUTH +#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \ + || !defined(CURL_DISABLE_AWS) #include diff --git a/lib/curl_md4.h b/lib/curl_md4.h index c19d647df13b3d..4706e49578bb43 100644 --- a/lib/curl_md4.h +++ b/lib/curl_md4.h @@ -27,13 +27,13 @@ #include "curl_setup.h" #include -#if !defined(CURL_DISABLE_CRYPTO_AUTH) +#if defined(USE_CURL_NTLM_CORE) #define MD4_DIGEST_LENGTH 16 CURLcode Curl_md4it(unsigned char *output, const unsigned char *input, const size_t len); -#endif /* !defined(CURL_DISABLE_CRYPTO_AUTH) */ +#endif /* defined(USE_CURL_NTLM_CORE) */ #endif /* HEADER_CURL_MD4_H */ diff --git a/lib/curl_md5.h b/lib/curl_md5.h index ec2512f00280eb..61671c306a643f 100644 --- a/lib/curl_md5.h +++ b/lib/curl_md5.h @@ -24,7 +24,9 @@ * ***************************************************************************/ -#ifndef CURL_DISABLE_CRYPTO_AUTH +#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \ + || !defined(CURL_DISABLE_DIGEST_AUTH) + #include "curl_hmac.h" #define MD5_DIGEST_LEN 16 diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c index 1cb0e546fee517..91ddf10622345f 100644 --- a/lib/curl_sasl.c +++ b/lib/curl_sasl.c @@ -420,7 +420,7 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data, } else #endif -#ifndef CURL_DISABLE_CRYPTO_AUTH +#ifndef CURL_DISABLE_DIGEST_AUTH if((enabledmechs & SASL_MECH_DIGEST_MD5) && Curl_auth_is_digest_supported()) { mech = SASL_MECH_STRING_DIGEST_MD5; @@ -530,8 +530,8 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, struct bufref resp; const char *hostname, *disp_hostname; int port; -#if !defined(CURL_DISABLE_CRYPTO_AUTH) || defined(USE_KERBEROS5) || \ - defined(USE_NTLM) +#if defined(USE_KERBEROS5) || defined(USE_NTLM) \ + || !defined(CURL_DISABLE_DIGEST_AUTH) const char *service = data->set.str[STRING_SERVICE_NAME] ? data->set.str[STRING_SERVICE_NAME] : sasl->params->service; @@ -577,7 +577,6 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, case SASL_EXTERNAL: result = Curl_auth_create_external_message(conn->user, &resp); break; -#ifndef CURL_DISABLE_CRYPTO_AUTH #ifdef USE_GSASL case SASL_GSASL: result = get_server_message(sasl, data, &serverdata); @@ -587,6 +586,7 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, newstate = SASL_GSASL; break; #endif +#ifndef CURL_DISABLE_DIGEST_AUTH case SASL_CRAMMD5: result = get_server_message(sasl, data, &serverdata); if(!result) diff --git a/lib/curl_setup.h b/lib/curl_setup.h index 183a8d78fb5add..b43714da7414e4 100644 --- a/lib/curl_setup.h +++ b/lib/curl_setup.h @@ -652,19 +652,19 @@ #endif /* Single point where USE_SPNEGO definition might be defined */ -#if !defined(CURL_DISABLE_CRYPTO_AUTH) && \ +#if !defined(CURL_DISABLE_NEGOTIATE_AUTH) && \ (defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)) #define USE_SPNEGO #endif /* Single point where USE_KERBEROS5 definition might be defined */ -#if !defined(CURL_DISABLE_CRYPTO_AUTH) && \ +#if !defined(CURL_DISABLE_KERBEROS_AUTH) && \ (defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)) #define USE_KERBEROS5 #endif /* Single point where USE_NTLM definition might be defined */ -#if !defined(CURL_DISABLE_CRYPTO_AUTH) && !defined(CURL_DISABLE_NTLM) +#if !defined(CURL_DISABLE_NTLM) # if defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \ defined(USE_GNUTLS) || defined(USE_SECTRANSP) || \ defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \ diff --git a/lib/curl_sha256.h b/lib/curl_sha256.h index c5e157bee1f3d6..d99f958f90d079 100644 --- a/lib/curl_sha256.h +++ b/lib/curl_sha256.h @@ -25,7 +25,9 @@ * ***************************************************************************/ -#ifndef CURL_DISABLE_CRYPTO_AUTH +#if !defined(CURL_DISABLE_AWS) || !defined(CURL_DISABLE_DIGEST_AUTH) \ + || defined(USE_LIBSSH2) + #include #include "curl_hmac.h" diff --git a/lib/easy.c b/lib/easy.c index ea8a18222d8399..16bbd35251d408 100644 --- a/lib/easy.c +++ b/lib/easy.c @@ -1064,7 +1064,7 @@ void curl_easy_reset(struct Curl_easy *data) memset(&data->state.authhost, 0, sizeof(struct auth)); memset(&data->state.authproxy, 0, sizeof(struct auth)); -#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) +#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH) Curl_http_auth_cleanup_digest(data); #endif } diff --git a/lib/hmac.c b/lib/hmac.c index 8d8de1757dde10..87e7be8c653a48 100644 --- a/lib/hmac.c +++ b/lib/hmac.c @@ -26,7 +26,8 @@ #include "curl_setup.h" -#ifndef CURL_DISABLE_CRYPTO_AUTH +#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \ + || !defined(CURL_DISABLE_AWS) #include @@ -169,4 +170,4 @@ CURLcode Curl_hmacit(const struct HMAC_params *hashparams, return CURLE_OK; } -#endif /* CURL_DISABLE_CRYPTO_AUTH */ +#endif /* Using NTLM (without SSPI) or AWS */ diff --git a/lib/http.c b/lib/http.c index 647f36f19a4c5c..4344b9dae58b30 100644 --- a/lib/http.c +++ b/lib/http.c @@ -341,6 +341,8 @@ char *Curl_copy_header_value(const char *header) } #ifndef CURL_DISABLE_HTTP_AUTH + +#ifndef CURL_DISABLE_BASIC_AUTH /* * http_output_basic() sets up an Authorization: header (or the proxy version) * for HTTP Basic authentication. @@ -402,6 +404,9 @@ static CURLcode http_output_basic(struct Curl_easy *data, bool proxy) return result; } +#endif + +#ifndef CURL_DISABLE_BEARER_AUTH /* * http_output_bearer() sets up an Authorization: header * for HTTP Bearer authentication. @@ -429,6 +434,8 @@ static CURLcode http_output_bearer(struct Curl_easy *data) #endif +#endif + /* pickoneauth() selects the most favourable authentication method from the * ones available and the ones we want. * @@ -445,18 +452,26 @@ static bool pickoneauth(struct auth *pick, unsigned long mask) of preference in case of the existence of multiple accepted types. */ if(avail & CURLAUTH_NEGOTIATE) pick->picked = CURLAUTH_NEGOTIATE; +#ifndef CURL_DISABLE_BEARER_AUTH else if(avail & CURLAUTH_BEARER) pick->picked = CURLAUTH_BEARER; +#endif +#ifndef CURL_DISABLE_DIGEST_AUTH else if(avail & CURLAUTH_DIGEST) pick->picked = CURLAUTH_DIGEST; +#endif else if(avail & CURLAUTH_NTLM) pick->picked = CURLAUTH_NTLM; else if(avail & CURLAUTH_NTLM_WB) pick->picked = CURLAUTH_NTLM_WB; +#ifndef CURL_DISABLE_BASIC_AUTH else if(avail & CURLAUTH_BASIC) pick->picked = CURLAUTH_BASIC; +#endif +#ifndef CURL_DISABLE_AWS else if(avail & CURLAUTH_AWS_SIGV4) pick->picked = CURLAUTH_AWS_SIGV4; +#endif else { pick->picked = CURLAUTH_PICKNONE; /* we select to use nothing */ picked = FALSE; @@ -722,11 +737,11 @@ output_auth_headers(struct Curl_easy *data, CURLcode result = CURLE_OK; (void)conn; -#ifdef CURL_DISABLE_CRYPTO_AUTH +#ifdef CURL_DISABLE_DIGEST_AUTH (void)request; (void)path; #endif -#ifndef CURL_DISABLE_CRYPTO_AUTH +#ifndef CURL_DISABLE_AWS if(authstatus->picked == CURLAUTH_AWS_SIGV4) { auth = "AWS_SIGV4"; result = Curl_output_aws_sigv4(data, proxy); @@ -762,7 +777,7 @@ output_auth_headers(struct Curl_easy *data, } else #endif -#ifndef CURL_DISABLE_CRYPTO_AUTH +#ifndef CURL_DISABLE_DIGEST_AUTH if(authstatus->picked == CURLAUTH_DIGEST) { auth = "Digest"; result = Curl_output_digest(data, @@ -774,6 +789,7 @@ output_auth_headers(struct Curl_easy *data, } else #endif +#ifndef CURL_DISABLE_BASIC_AUTH if(authstatus->picked == CURLAUTH_BASIC) { /* Basic */ if( @@ -793,6 +809,8 @@ output_auth_headers(struct Curl_easy *data, functions work that way */ authstatus->done = TRUE; } +#endif +#ifndef CURL_DISABLE_BEARER_AUTH if(authstatus->picked == CURLAUTH_BEARER) { /* Bearer */ if((!proxy && data->set.str[STRING_BEARER] && @@ -807,6 +825,7 @@ output_auth_headers(struct Curl_easy *data, functions work that way */ authstatus->done = TRUE; } +#endif if(auth) { #ifndef CURL_DISABLE_PROXY @@ -1068,7 +1087,7 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy, } else #endif -#ifndef CURL_DISABLE_CRYPTO_AUTH +#ifndef CURL_DISABLE_DIGEST_AUTH if(checkprefix("Digest", auth) && is_valid_auth_separator(auth[6])) { if((authp->avail & CURLAUTH_DIGEST) != 0) infof(data, "Ignoring duplicate digest auth header."); @@ -1091,6 +1110,7 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy, } else #endif +#ifndef CURL_DISABLE_BASIC_AUTH if(checkprefix("Basic", auth) && is_valid_auth_separator(auth[5])) { *availp |= CURLAUTH_BASIC; @@ -1105,6 +1125,8 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy, } } else +#endif +#ifndef CURL_DISABLE_BEARER_AUTH if(checkprefix("Bearer", auth) && is_valid_auth_separator(auth[6])) { *availp |= CURLAUTH_BEARER; @@ -1117,6 +1139,7 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy, data->state.authproblem = TRUE; } } +#endif /* there may be multiple methods on one line, so keep reading */ while(*auth && *auth != ',') /* read up to the next comma */ diff --git a/lib/http_aws_sigv4.c b/lib/http_aws_sigv4.c index 686d26837deeee..485fcc498507b0 100644 --- a/lib/http_aws_sigv4.c +++ b/lib/http_aws_sigv4.c @@ -24,7 +24,7 @@ #include "curl_setup.h" -#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) +#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_AWS) #include "urldata.h" #include "strcase.h" @@ -646,4 +646,4 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) return ret; } -#endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) */ +#endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_AWS) */ diff --git a/lib/http_digest.c b/lib/http_digest.c index 8daad99e32fec1..2db3125a8e6656 100644 --- a/lib/http_digest.c +++ b/lib/http_digest.c @@ -24,7 +24,7 @@ #include "curl_setup.h" -#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) +#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH) #include "urldata.h" #include "strcase.h" diff --git a/lib/http_digest.h b/lib/http_digest.h index 7d5cfc1bfd38c0..5f797310fd9c50 100644 --- a/lib/http_digest.h +++ b/lib/http_digest.h @@ -25,7 +25,7 @@ ***************************************************************************/ #include "curl_setup.h" -#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) +#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH) /* this is for digest header input */ CURLcode Curl_input_digest(struct Curl_easy *data, @@ -39,6 +39,6 @@ CURLcode Curl_output_digest(struct Curl_easy *data, void Curl_http_auth_cleanup_digest(struct Curl_easy *data); -#endif /* !CURL_DISABLE_HTTP && !CURL_DISABLE_CRYPTO_AUTH */ +#endif /* !CURL_DISABLE_HTTP && !CURL_DISABLE_DIGEST_AUTH */ #endif /* HEADER_CURL_HTTP_DIGEST_H */ diff --git a/lib/ldap.c b/lib/ldap.c index ae400726b1be3c..33a4dea0a8bcf2 100644 --- a/lib/ldap.c +++ b/lib/ldap.c @@ -239,7 +239,7 @@ static int ldap_win_bind_auth(LDAP *server, const char *user, } else #endif -#if !defined(CURL_DISABLE_CRYPTO_AUTH) +#if !defined(CURL_DISABLE_DIGEST_AUTH) if(authflags & CURLAUTH_DIGEST) { method = LDAP_AUTH_DIGEST; } diff --git a/lib/md5.c b/lib/md5.c index 1e1a3448518a11..01415af911f46d 100644 --- a/lib/md5.c +++ b/lib/md5.c @@ -24,7 +24,8 @@ #include "curl_setup.h" -#ifndef CURL_DISABLE_CRYPTO_AUTH +#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \ + || !defined(CURL_DISABLE_DIGEST_AUTH) #include #include @@ -652,4 +653,4 @@ CURLcode Curl_MD5_final(struct MD5_context *context, unsigned char *result) return CURLE_OK; } -#endif /* CURL_DISABLE_CRYPTO_AUTH */ +#endif /* Using NTLM (without SSPI) || Digest */ diff --git a/lib/pop3.c b/lib/pop3.c index a2ab34aef1e40b..a9d5fdd698085c 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -419,7 +419,7 @@ static CURLcode pop3_perform_user(struct Curl_easy *data, return result; } -#ifndef CURL_DISABLE_CRYPTO_AUTH +#ifndef CURL_DISABLE_DIGEST_AUTH /*********************************************************************** * * pop3_perform_apop() @@ -563,7 +563,7 @@ static CURLcode pop3_perform_authentication(struct Curl_easy *data, } if(!result && progress == SASL_IDLE) { -#ifndef CURL_DISABLE_CRYPTO_AUTH +#ifndef CURL_DISABLE_DIGEST_AUTH if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_APOP) /* Perform APOP authentication */ result = pop3_perform_apop(data, conn); @@ -831,7 +831,7 @@ static CURLcode pop3_state_auth_resp(struct Curl_easy *data, pop3_state(data, POP3_STOP); /* Authenticated */ break; case SASL_IDLE: /* No mechanism left after cancellation */ -#ifndef CURL_DISABLE_CRYPTO_AUTH +#ifndef CURL_DISABLE_DIGEST_AUTH if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_APOP) /* Perform APOP authentication */ result = pop3_perform_apop(data, conn); @@ -852,7 +852,7 @@ static CURLcode pop3_state_auth_resp(struct Curl_easy *data, return result; } -#ifndef CURL_DISABLE_CRYPTO_AUTH +#ifndef CURL_DISABLE_DIGEST_AUTH /* For APOP responses */ static CURLcode pop3_state_apop_resp(struct Curl_easy *data, int pop3code, pop3state instate) @@ -1015,7 +1015,7 @@ static CURLcode pop3_statemachine(struct Curl_easy *data, result = pop3_state_auth_resp(data, pop3code, pop3c->state); break; -#ifndef CURL_DISABLE_CRYPTO_AUTH +#ifndef CURL_DISABLE_DIGEST_AUTH case POP3_APOP: result = pop3_state_apop_resp(data, pop3code, pop3c->state); break; diff --git a/lib/setopt.c b/lib/setopt.c index e2e3d8560ca477..2cef1b3d828fb4 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -679,6 +679,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) break; #endif +#if !defined(CURL_DISABLE_AWS) case CURLOPT_AWS_SIGV4: /* * String that is merged to some authentication @@ -692,6 +693,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) if(data->set.str[STRING_AWS_SIGV4]) data->set.httpauth = CURLAUTH_AWS_SIGV4; break; +#endif case CURLOPT_REFERER: /* diff --git a/lib/sha256.c b/lib/sha256.c index 47aa7d5450627d..4a02045d26ee1b 100644 --- a/lib/sha256.c +++ b/lib/sha256.c @@ -25,7 +25,8 @@ #include "curl_setup.h" -#ifndef CURL_DISABLE_CRYPTO_AUTH +#if !defined(CURL_DISABLE_AWS) || !defined(CURL_DISABLE_DIGEST_AUTH) \ + || defined(USE_LIBSSH2) #include "warnless.h" #include "curl_sha256.h" @@ -541,4 +542,4 @@ const struct HMAC_params Curl_HMAC_SHA256[] = { }; -#endif /* CURL_DISABLE_CRYPTO_AUTH */ +#endif /* AWS, DIGEST, or libSSH2 */ diff --git a/lib/url.c b/lib/url.c index cd54523c31645b..4f5673ed0d9395 100644 --- a/lib/url.c +++ b/lib/url.c @@ -414,7 +414,7 @@ CURLcode Curl_close(struct Curl_easy **datap) Curl_hsts_cleanup(&data->hsts); curl_slist_free_all(data->set.hstslist); /* clean up list */ #endif -#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) +#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH) Curl_http_auth_cleanup_digest(data); #endif Curl_safefree(data->info.contenttype); diff --git a/lib/urldata.h b/lib/urldata.h index 0af5a94ddd47a6..4bfb3b48d26e5a 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -336,6 +336,7 @@ struct Curl_ssl_session { #include "curl_sspi.h" #endif +#ifndef CURL_DISABLE_DIGEST_AUTH /* Struct used for Digest challenge-response authentication */ struct digestdata { #if defined(USE_WINDOWS_SSPI) @@ -359,6 +360,7 @@ struct digestdata { BIT(userhash); #endif }; +#endif typedef enum { NTLMSTATE_NONE, @@ -1347,7 +1349,7 @@ struct UrlState { /* storage for the previous bag^H^H^HSIGPIPE signal handler :-) */ void (*prev_signal)(int sig); #endif -#ifndef CURL_DISABLE_CRYPTO_AUTH +#ifndef CURL_DISABLE_DIGEST_AUTH struct digestdata digest; /* state data for host Digest auth */ struct digestdata proxydigest; /* state data for proxy Digest auth */ #endif diff --git a/lib/vauth/cram.c b/lib/vauth/cram.c index 5894ed4bcfe420..91fb261c57ac79 100644 --- a/lib/vauth/cram.c +++ b/lib/vauth/cram.c @@ -26,7 +26,7 @@ #include "curl_setup.h" -#if !defined(CURL_DISABLE_CRYPTO_AUTH) +#ifndef CURL_DISABLE_DIGEST_AUTH #include #include "urldata.h" @@ -94,4 +94,4 @@ CURLcode Curl_auth_create_cram_md5_message(const struct bufref *chlg, return CURLE_OK; } -#endif /* !CURL_DISABLE_CRYPTO_AUTH */ +#endif /* !CURL_DISABLE_DIGEST_AUTH */ diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c index fda2d911f7b120..1983d03c77fee4 100644 --- a/lib/vauth/digest.c +++ b/lib/vauth/digest.c @@ -27,7 +27,7 @@ #include "curl_setup.h" -#if !defined(CURL_DISABLE_CRYPTO_AUTH) +#ifndef CURL_DISABLE_DIGEST_AUTH #include @@ -992,4 +992,4 @@ void Curl_auth_digest_cleanup(struct digestdata *digest) } #endif /* !USE_WINDOWS_SSPI */ -#endif /* CURL_DISABLE_CRYPTO_AUTH */ +#endif /* !CURL_DISABLE_DIGEST_AUTH */ diff --git a/lib/vauth/digest.h b/lib/vauth/digest.h index 68fdb28c4727bd..99ce1f9138920a 100644 --- a/lib/vauth/digest.h +++ b/lib/vauth/digest.h @@ -26,7 +26,7 @@ #include -#if !defined(CURL_DISABLE_CRYPTO_AUTH) +#ifndef CURL_DISABLE_DIGEST_AUTH #define DIGEST_MAX_VALUE_LENGTH 256 #define DIGEST_MAX_CONTENT_LENGTH 1024 diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c index 8fb86693936018..02e36ea5ed833a 100644 --- a/lib/vauth/digest_sspi.c +++ b/lib/vauth/digest_sspi.c @@ -27,7 +27,7 @@ #include "curl_setup.h" -#if defined(USE_WINDOWS_SSPI) && !defined(CURL_DISABLE_CRYPTO_AUTH) +#if defined(USE_WINDOWS_SSPI) && !defined(CURL_DISABLE_DIGEST_AUTH) #include @@ -665,4 +665,4 @@ void Curl_auth_digest_cleanup(struct digestdata *digest) Curl_safefree(digest->passwd); } -#endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_CRYPTO_AUTH */ +#endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_DIGEST_AUTH */ diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h index d8cff24381e86e..9da05408922a40 100644 --- a/lib/vauth/vauth.h +++ b/lib/vauth/vauth.h @@ -30,7 +30,7 @@ struct Curl_easy; -#if !defined(CURL_DISABLE_CRYPTO_AUTH) +#if !defined(CURL_DISABLE_DIGEST_AUTH) struct digestdata; #endif @@ -86,7 +86,7 @@ CURLcode Curl_auth_create_login_message(const char *value, CURLcode Curl_auth_create_external_message(const char *user, struct bufref *out); -#if !defined(CURL_DISABLE_CRYPTO_AUTH) +#ifndef CURL_DISABLE_DIGEST_AUTH /* This is used to generate a CRAM-MD5 response message */ CURLcode Curl_auth_create_cram_md5_message(const struct bufref *chlg, const char *userp, @@ -119,7 +119,7 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, /* This is used to clean up the digest specific data */ void Curl_auth_digest_cleanup(struct digestdata *digest); -#endif /* !CURL_DISABLE_CRYPTO_AUTH */ +#endif /* !CURL_DISABLE_DIGEST_AUTH */ #ifdef USE_GSASL /* This is used to evaluate if MECH is supported by gsasl */ diff --git a/packages/vms/generate_config_vms_h_curl.com b/packages/vms/generate_config_vms_h_curl.com index 96e2e0ce1c8092..99a39c844135ba 100644 --- a/packages/vms/generate_config_vms_h_curl.com +++ b/packages/vms/generate_config_vms_h_curl.com @@ -237,9 +237,6 @@ $! $write cvh "#ifdef CURL_DISABLE_COOKIES" $write cvh "#undef CURL_DISABLE_COOKIES" $write cvh "#endif" -$write cvh "#ifdef CURL_DISABLE_CRYPTO_AUTH" -$write cvh "#undef CURL_DISABLE_CRYPTO_AUTH" -$write cvh "#endif" $write cvh "#ifdef CURL_DISABLE_DICT" $write cvh "#undef CURL_DISABLE_DICT" $write cvh "#endif" diff --git a/tests/server/disabled.c b/tests/server/disabled.c index 82fa854e3f50ab..0b84134fc2d23b 100644 --- a/tests/server/disabled.c +++ b/tests/server/disabled.c @@ -43,8 +43,20 @@ static const char *disabled[]={ #ifdef CURL_DISABLE_COOKIES "cookies", #endif -#ifdef CURL_DISABLE_CRYPTO_AUTH - "crypto", +#ifdef CURL_DISABLE_BASIC_AUTH + "basic-auth", +#endif +#ifdef CURL_DISABLE_BEARER_AUTH + "bearer-auth", +#endif +#ifdef CURL_DISABLE_DIGEST_AUTH + "digest-auth", +#endif +#ifdef CURL_DISABLE_NEGOTIATE_AUTH + "negotiate-auth", +#endif +#ifdef CURL_DISABLE_AWS + "aws", #endif #ifdef CURL_DISABLE_DOH "DoH", diff --git a/tests/unit/unit1601.c b/tests/unit/unit1601.c index 0bea388a0e0c2f..4623bb7769bd8d 100644 --- a/tests/unit/unit1601.c +++ b/tests/unit/unit1601.c @@ -37,7 +37,9 @@ static void unit_stop(void) UNITTEST_START -#ifndef CURL_DISABLE_CRYPTO_AUTH +#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \ + || !defined(CURL_DISABLE_DIGEST_AUTH) + const char string1[] = "1"; const char string2[] = "hello-you-fool"; unsigned char output[MD5_DIGEST_LEN]; diff --git a/tests/unit/unit1610.c b/tests/unit/unit1610.c index 5624df8d609d01..b4c6ef4d347ee0 100644 --- a/tests/unit/unit1610.c +++ b/tests/unit/unit1610.c @@ -39,7 +39,9 @@ static void unit_stop(void) UNITTEST_START -#ifndef CURL_DISABLE_CRYPTO_AUTH +#if !defined(CURL_DISABLE_AWS) || !defined(CURL_DISABLE_DIGEST_AUTH) \ + || defined(USE_LIBSSH2) + const char string1[] = "1"; const char string2[] = "hello-you-fool"; unsigned char output[SHA256_DIGEST_LENGTH]; diff --git a/tests/unit/unit1612.c b/tests/unit/unit1612.c index 1e99eeb7c38d5b..1f5b34d13751d2 100644 --- a/tests/unit/unit1612.c +++ b/tests/unit/unit1612.c @@ -38,7 +38,9 @@ static void unit_stop(void) UNITTEST_START -#ifndef CURL_DISABLE_CRYPTO_AUTH +#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \ + || !defined(CURL_DISABLE_DIGEST_AUTH) + const char password[] = "Pa55worD"; const char string1[] = "1"; const char string2[] = "hello-you-fool";