lib: add ability to disable auths individually
Both with configure and cmake
Closes #11490
diff --git a/CMakeLists.txt b/CMakeLists.txt
index cb2290d..bc42c6a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -191,8 +191,18 @@
mark_as_advanced(CURL_DISABLE_ALTSVC)
option(CURL_DISABLE_COOKIES "disables cookies support" OFF)
mark_as_advanced(CURL_DISABLE_COOKIES)
-option(CURL_DISABLE_CRYPTO_AUTH "disables cryptographic authentication" OFF)
-mark_as_advanced(CURL_DISABLE_CRYPTO_AUTH)
+option(CURL_DISABLE_BASIC_AUTH "disables Basic authentication" OFF)
+mark_as_advanced(CURL_DISABLE_BASIC_AUTH)
+option(CURL_DISABLE_BEARER_AUTH "disables Bearer authentication" OFF)
+mark_as_advanced(CURL_DISABLE_BEARER_AUTH)
+option(CURL_DISABLE_DIGEST_AUTH "disables Digest authentication" OFF)
+mark_as_advanced(CURL_DISABLE_DIGEST_AUTH)
+option(CURL_DISABLE_KERBEROS_AUTH "disables Kerberos authentication" OFF)
+mark_as_advanced(CURL_DISABLE_KERBEROS_AUTH)
+option(CURL_DISABLE_NEGOTIATE_AUTH "disables negotiate authentication" OFF)
+mark_as_advanced(CURL_DISABLE_NEGOTIATE_AUTH)
+option(CURL_DISABLE_AWS "disables AWS-SIG4" OFF)
+mark_as_advanced(CURL_DISABLE_AWS)
option(CURL_DISABLE_DICT "disables DICT" OFF)
mark_as_advanced(CURL_DISABLE_DICT)
option(CURL_DISABLE_DOH "disables DNS-over-HTTPS" OFF)
@@ -1448,7 +1458,7 @@
# NTLM support requires crypto function adaptions from various SSL libs
# TODO alternative SSL libs tests for SSP1, GNUTLS, NSS
-if(NOT (CURL_DISABLE_CRYPTO_AUTH OR CURL_DISABLE_NTLM) AND
+if(NOT (CURL_DISABLE_NTLM) AND
(USE_OPENSSL OR USE_MBEDTLS OR USE_DARWINSSL OR USE_WIN32_CRYPTO OR USE_GNUTLS))
set(use_curl_ntlm_core ON)
endif()
@@ -1471,16 +1481,16 @@
_add_if("alt-svc" NOT CURL_DISABLE_ALTSVC)
_add_if("HSTS" NOT CURL_DISABLE_HSTS)
# TODO SSP1 missing for SPNEGO
-_add_if("SPNEGO" NOT CURL_DISABLE_CRYPTO_AUTH AND
+_add_if("SPNEGO" NOT CURL_DISABLE_NEGOTIATE_AUTH AND
(HAVE_GSSAPI OR USE_WINDOWS_SSPI))
-_add_if("Kerberos" NOT CURL_DISABLE_CRYPTO_AUTH AND
+_add_if("Kerberos" NOT CURL_DISABLE_KERBEROS_AUTH AND
(HAVE_GSSAPI OR USE_WINDOWS_SSPI))
# NTLM support requires crypto function adaptions from various SSL libs
# TODO alternative SSL libs tests for SSP1, GNUTLS, NSS
-_add_if("NTLM" NOT (CURL_DISABLE_CRYPTO_AUTH OR CURL_DISABLE_NTLM) AND
+_add_if("NTLM" NOT (CURL_DISABLE_NTLM) AND
(use_curl_ntlm_core OR USE_WINDOWS_SSPI))
# TODO missing option (autoconf: --enable-ntlm-wb)
-_add_if("NTLM_WB" NOT (CURL_DISABLE_CRYPTO_AUTH OR CURL_DISABLE_NTLM) AND
+_add_if("NTLM_WB" NOT (CURL_DISABLE_NTLM) AND
(use_curl_ntlm_core OR USE_WINDOWS_SSPI) AND
NOT CURL_DISABLE_HTTP AND NTLM_WB_ENABLED)
# TODO missing option (--enable-tls-srp), depends on GNUTLS_SRP/OPENSSL_SRP
diff --git a/configure.ac b/configure.ac
index 0aa6daa..5c57b41 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3935,17 +3935,113 @@
)
dnl ************************************************************
-dnl disable cryptographic authentication
+dnl disable basic authentication
dnl
-AC_MSG_CHECKING([whether to enable cryptographic authentication methods])
-AC_ARG_ENABLE(crypto-auth,
-AS_HELP_STRING([--enable-crypto-auth],[Enable cryptographic authentication])
-AS_HELP_STRING([--disable-crypto-auth],[Disable cryptographic authentication]),
+AC_MSG_CHECKING([whether to enable basic authentication method])
+AC_ARG_ENABLE(basic-auth,
+AS_HELP_STRING([--enable-basic-auth],[Enable basic authentication (default)])
+AS_HELP_STRING([--disable-basic-auth],[Disable basic authentication]),
[ case "$enableval" in
no)
AC_MSG_RESULT(no)
- AC_DEFINE(CURL_DISABLE_CRYPTO_AUTH, 1, [to disable cryptographic authentication])
- CURL_DISABLE_CRYPTO_AUTH=1
+ AC_DEFINE(CURL_DISABLE_BASIC_AUTH, 1, [to disable basic authentication])
+ CURL_DISABLE_BASIC_AUTH=1
+ ;;
+ *) AC_MSG_RESULT(yes)
+ ;;
+ esac ],
+ AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl disable bearer authentication
+dnl
+AC_MSG_CHECKING([whether to enable bearer authentication method])
+AC_ARG_ENABLE(bearer-auth,
+AS_HELP_STRING([--enable-bearer-auth],[Enable bearer authentication (default)])
+AS_HELP_STRING([--disable-bearer-auth],[Disable bearer authentication]),
+[ case "$enableval" in
+ no)
+ AC_MSG_RESULT(no)
+ AC_DEFINE(CURL_DISABLE_BEARER_AUTH, 1, [to disable bearer authentication])
+ CURL_DISABLE_BEARER_AUTH=1
+ ;;
+ *) AC_MSG_RESULT(yes)
+ ;;
+ esac ],
+ AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl disable digest authentication
+dnl
+AC_MSG_CHECKING([whether to enable digest authentication method])
+AC_ARG_ENABLE(digest-auth,
+AS_HELP_STRING([--enable-digest-auth],[Enable digest authentication (default)])
+AS_HELP_STRING([--disable-digest-auth],[Disable digest authentication]),
+[ case "$enableval" in
+ no)
+ AC_MSG_RESULT(no)
+ AC_DEFINE(CURL_DISABLE_DIGEST_AUTH, 1, [to disable digest authentication])
+ CURL_DISABLE_DIGEST_AUTH=1
+ ;;
+ *) AC_MSG_RESULT(yes)
+ ;;
+ esac ],
+ AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl disable kerberos authentication
+dnl
+AC_MSG_CHECKING([whether to enable kerberos authentication method])
+AC_ARG_ENABLE(kerberos-auth,
+AS_HELP_STRING([--enable-kerberos-auth],[Enable kerberos authentication (default)])
+AS_HELP_STRING([--disable-kerberos-auth],[Disable kerberos authentication]),
+[ case "$enableval" in
+ no)
+ AC_MSG_RESULT(no)
+ AC_DEFINE(CURL_DISABLE_KERBEROS_AUTH, 1, [to disable kerberos authentication])
+ CURL_DISABLE_KERBEROS_AUTH=1
+ ;;
+ *) AC_MSG_RESULT(yes)
+ ;;
+ esac ],
+ AC_MSG_RESULT(yes)
+)
+
+dnl ************************************************************
+dnl disable negotiate authentication
+dnl
+AC_MSG_CHECKING([whether to enable negotiate authentication method])
+AC_ARG_ENABLE(negotiate-auth,
+AS_HELP_STRING([--enable-negotiate-auth],[Enable negotiate authentication (default)])
+AS_HELP_STRING([--disable-negotiate-auth],[Disable negotiate authentication]),
+[ case "$enableval" in
+ no)
+ AC_MSG_RESULT(no)
+ AC_DEFINE(CURL_DISABLE_NEGOTIATE_AUTH, 1, [to disable negotiate authentication])
+ CURL_DISABLE_NEGOTIATE_AUTH=1
+ ;;
+ *) AC_MSG_RESULT(yes)
+ ;;
+ esac ],
+ AC_MSG_RESULT(yes)
+)
+
+
+dnl ************************************************************
+dnl disable aws
+dnl
+AC_MSG_CHECKING([whether to enable aws sig methods])
+AC_ARG_ENABLE(aws,
+AS_HELP_STRING([--enable-aws],[Enable AWS sig support (default)])
+AS_HELP_STRING([--disable-aws],[Disable AWS sig support]),
+[ case "$enableval" in
+ no)
+ AC_MSG_RESULT(no)
+ AC_DEFINE(CURL_DISABLE_AWS, 1, [to disable AWS sig support])
+ CURL_DISABLE_AWS=1
;;
*) AC_MSG_RESULT(yes)
;;
@@ -4498,20 +4594,19 @@
SUPPORT_FEATURES="$SUPPORT_FEATURES HSTS"
fi
-if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \
+if test "x$CURL_DISABLE_NEGOTIATE_AUTH" != "x1" -a \
\( "x$HAVE_GSSAPI" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \); then
SUPPORT_FEATURES="$SUPPORT_FEATURES SPNEGO"
fi
-if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \
+if test "x$CURL_DISABLE_KERBEROS_AUTH" != "x1" -a \
\( "x$HAVE_GSSAPI" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \); then
SUPPORT_FEATURES="$SUPPORT_FEATURES Kerberos"
fi
use_curl_ntlm_core=no
-if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \
- "x$CURL_DISABLE_NTLM" != "x1"; then
+if test "x$CURL_DISABLE_NTLM" != "x1"; then
if test "x$OPENSSL_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" \
-o "x$SECURETRANSPORT_ENABLED" = "x1" \
diff --git a/docs/CURL-DISABLE.md b/docs/CURL-DISABLE.md
index 83186ff..7978ed2 100644
--- a/docs/CURL-DISABLE.md
+++ b/docs/CURL-DISABLE.md
@@ -12,9 +12,29 @@
Disable support for HTTP cookies.
-## `CURL_DISABLE_CRYPTO_AUTH`
+## `CURL_DISABLE_BASIC_AUTH`
-Disable support for authentication methods using crypto.
+Disable support for the Basic authentication methods.
+
+## `CURL_DISABLE_BEARER_AUTH`
+
+Disable support for the Bearer authentication methods.
+
+## `CURL_DISABLE_DIGEST_AUTH`
+
+Disable support for the Digest authentication methods.
+
+## `CURL_DISABLE_KERBEROS_AUTH`
+
+Disable support for the Kerberos authentication methods.
+
+## `CURL_DISABLE_NEGOTIATE_AUTH`
+
+Disable support for the negotiate authentication methods.
+
+## `CURL_DISABLE_AWS`
+
+Disable **AWS-SIG4** support.
## `CURL_DISABLE_DICT`
diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
index 4cfc2ec..8e76b00 100644
--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
@@ -41,8 +41,23 @@
/* disables cookies support */
#cmakedefine CURL_DISABLE_COOKIES 1
-/* disables cryptographic authentication */
-#cmakedefine CURL_DISABLE_CRYPTO_AUTH 1
+/* disables Basic authentication */
+#cmakedefine CURL_DISABLE_BASIC_AUTH 1
+
+/* disables Bearer authentication */
+#cmakedefine CURL_DISABLE_BEARER_AUTH 1
+
+/* disables Digest authentication */
+#cmakedefine CURL_DISABLE_DIGEST_AUTH 1
+
+/* disables Kerberos authentication */
+#cmakedefine CURL_DISABLE_KERBEROS_AUTH 1
+
+/* disables negotiate authentication */
+#cmakedefine CURL_DISABLE_NEGOTIATE_AUTH 1
+
+/* disables AWS-SIG4 */
+#cmakedefine CURL_DISABLE_AWS 1
/* disables DICT */
#cmakedefine CURL_DISABLE_DICT 1
diff --git a/lib/curl_hmac.h b/lib/curl_hmac.h
index 11625c0..9438ca7 100644
--- a/lib/curl_hmac.h
+++ b/lib/curl_hmac.h
@@ -24,7 +24,8 @@
*
***************************************************************************/
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
+ || !defined(CURL_DISABLE_AWS)
#include <curl/curl.h>
diff --git a/lib/curl_md4.h b/lib/curl_md4.h
index c19d647..4706e49 100644
--- a/lib/curl_md4.h
+++ b/lib/curl_md4.h
@@ -27,13 +27,13 @@
#include "curl_setup.h"
#include <curl/curl.h>
-#if !defined(CURL_DISABLE_CRYPTO_AUTH)
+#if defined(USE_CURL_NTLM_CORE)
#define MD4_DIGEST_LENGTH 16
CURLcode Curl_md4it(unsigned char *output, const unsigned char *input,
const size_t len);
-#endif /* !defined(CURL_DISABLE_CRYPTO_AUTH) */
+#endif /* defined(USE_CURL_NTLM_CORE) */
#endif /* HEADER_CURL_MD4_H */
diff --git a/lib/curl_md5.h b/lib/curl_md5.h
index ec2512f..61671c3 100644
--- a/lib/curl_md5.h
+++ b/lib/curl_md5.h
@@ -24,7 +24,9 @@
*
***************************************************************************/
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
+ || !defined(CURL_DISABLE_DIGEST_AUTH)
+
#include "curl_hmac.h"
#define MD5_DIGEST_LEN 16
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 1cb0e54..91ddf10 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -420,7 +420,7 @@
}
else
#endif
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#ifndef CURL_DISABLE_DIGEST_AUTH
if((enabledmechs & SASL_MECH_DIGEST_MD5) &&
Curl_auth_is_digest_supported()) {
mech = SASL_MECH_STRING_DIGEST_MD5;
@@ -530,8 +530,8 @@
struct bufref resp;
const char *hostname, *disp_hostname;
int port;
-#if !defined(CURL_DISABLE_CRYPTO_AUTH) || defined(USE_KERBEROS5) || \
- defined(USE_NTLM)
+#if defined(USE_KERBEROS5) || defined(USE_NTLM) \
+ || !defined(CURL_DISABLE_DIGEST_AUTH)
const char *service = data->set.str[STRING_SERVICE_NAME] ?
data->set.str[STRING_SERVICE_NAME] :
sasl->params->service;
@@ -577,7 +577,6 @@
case SASL_EXTERNAL:
result = Curl_auth_create_external_message(conn->user, &resp);
break;
-#ifndef CURL_DISABLE_CRYPTO_AUTH
#ifdef USE_GSASL
case SASL_GSASL:
result = get_server_message(sasl, data, &serverdata);
@@ -587,6 +586,7 @@
newstate = SASL_GSASL;
break;
#endif
+#ifndef CURL_DISABLE_DIGEST_AUTH
case SASL_CRAMMD5:
result = get_server_message(sasl, data, &serverdata);
if(!result)
diff --git a/lib/curl_setup.h b/lib/curl_setup.h
index 183a8d7..b43714d 100644
--- a/lib/curl_setup.h
+++ b/lib/curl_setup.h
@@ -652,19 +652,19 @@
#endif
/* Single point where USE_SPNEGO definition might be defined */
-#if !defined(CURL_DISABLE_CRYPTO_AUTH) && \
+#if !defined(CURL_DISABLE_NEGOTIATE_AUTH) && \
(defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI))
#define USE_SPNEGO
#endif
/* Single point where USE_KERBEROS5 definition might be defined */
-#if !defined(CURL_DISABLE_CRYPTO_AUTH) && \
+#if !defined(CURL_DISABLE_KERBEROS_AUTH) && \
(defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI))
#define USE_KERBEROS5
#endif
/* Single point where USE_NTLM definition might be defined */
-#if !defined(CURL_DISABLE_CRYPTO_AUTH) && !defined(CURL_DISABLE_NTLM)
+#if !defined(CURL_DISABLE_NTLM)
# if defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \
defined(USE_GNUTLS) || defined(USE_SECTRANSP) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \
diff --git a/lib/curl_sha256.h b/lib/curl_sha256.h
index c5e157b..d99f958 100644
--- a/lib/curl_sha256.h
+++ b/lib/curl_sha256.h
@@ -25,7 +25,9 @@
*
***************************************************************************/
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#if !defined(CURL_DISABLE_AWS) || !defined(CURL_DISABLE_DIGEST_AUTH) \
+ || defined(USE_LIBSSH2)
+
#include <curl/curl.h>
#include "curl_hmac.h"
diff --git a/lib/easy.c b/lib/easy.c
index ea8a182..16bbd35 100644
--- a/lib/easy.c
+++ b/lib/easy.c
@@ -1064,7 +1064,7 @@
memset(&data->state.authhost, 0, sizeof(struct auth));
memset(&data->state.authproxy, 0, sizeof(struct auth));
-#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
+#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
Curl_http_auth_cleanup_digest(data);
#endif
}
diff --git a/lib/hmac.c b/lib/hmac.c
index 8d8de17..87e7be8 100644
--- a/lib/hmac.c
+++ b/lib/hmac.c
@@ -26,7 +26,8 @@
#include "curl_setup.h"
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
+ || !defined(CURL_DISABLE_AWS)
#include <curl/curl.h>
@@ -169,4 +170,4 @@
return CURLE_OK;
}
-#endif /* CURL_DISABLE_CRYPTO_AUTH */
+#endif /* Using NTLM (without SSPI) or AWS */
diff --git a/lib/http.c b/lib/http.c
index 647f36f..4344b9d 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -341,6 +341,8 @@
}
#ifndef CURL_DISABLE_HTTP_AUTH
+
+#ifndef CURL_DISABLE_BASIC_AUTH
/*
* http_output_basic() sets up an Authorization: header (or the proxy version)
* for HTTP Basic authentication.
@@ -402,6 +404,9 @@
return result;
}
+#endif
+
+#ifndef CURL_DISABLE_BEARER_AUTH
/*
* http_output_bearer() sets up an Authorization: header
* for HTTP Bearer authentication.
@@ -429,6 +434,8 @@
#endif
+#endif
+
/* pickoneauth() selects the most favourable authentication method from the
* ones available and the ones we want.
*
@@ -445,18 +452,26 @@
of preference in case of the existence of multiple accepted types. */
if(avail & CURLAUTH_NEGOTIATE)
pick->picked = CURLAUTH_NEGOTIATE;
+#ifndef CURL_DISABLE_BEARER_AUTH
else if(avail & CURLAUTH_BEARER)
pick->picked = CURLAUTH_BEARER;
+#endif
+#ifndef CURL_DISABLE_DIGEST_AUTH
else if(avail & CURLAUTH_DIGEST)
pick->picked = CURLAUTH_DIGEST;
+#endif
else if(avail & CURLAUTH_NTLM)
pick->picked = CURLAUTH_NTLM;
else if(avail & CURLAUTH_NTLM_WB)
pick->picked = CURLAUTH_NTLM_WB;
+#ifndef CURL_DISABLE_BASIC_AUTH
else if(avail & CURLAUTH_BASIC)
pick->picked = CURLAUTH_BASIC;
+#endif
+#ifndef CURL_DISABLE_AWS
else if(avail & CURLAUTH_AWS_SIGV4)
pick->picked = CURLAUTH_AWS_SIGV4;
+#endif
else {
pick->picked = CURLAUTH_PICKNONE; /* we select to use nothing */
picked = FALSE;
@@ -722,11 +737,11 @@
CURLcode result = CURLE_OK;
(void)conn;
-#ifdef CURL_DISABLE_CRYPTO_AUTH
+#ifdef CURL_DISABLE_DIGEST_AUTH
(void)request;
(void)path;
#endif
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#ifndef CURL_DISABLE_AWS
if(authstatus->picked == CURLAUTH_AWS_SIGV4) {
auth = "AWS_SIGV4";
result = Curl_output_aws_sigv4(data, proxy);
@@ -762,7 +777,7 @@
}
else
#endif
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#ifndef CURL_DISABLE_DIGEST_AUTH
if(authstatus->picked == CURLAUTH_DIGEST) {
auth = "Digest";
result = Curl_output_digest(data,
@@ -774,6 +789,7 @@
}
else
#endif
+#ifndef CURL_DISABLE_BASIC_AUTH
if(authstatus->picked == CURLAUTH_BASIC) {
/* Basic */
if(
@@ -793,6 +809,8 @@
functions work that way */
authstatus->done = TRUE;
}
+#endif
+#ifndef CURL_DISABLE_BEARER_AUTH
if(authstatus->picked == CURLAUTH_BEARER) {
/* Bearer */
if((!proxy && data->set.str[STRING_BEARER] &&
@@ -807,6 +825,7 @@
functions work that way */
authstatus->done = TRUE;
}
+#endif
if(auth) {
#ifndef CURL_DISABLE_PROXY
@@ -1068,7 +1087,7 @@
}
else
#endif
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#ifndef CURL_DISABLE_DIGEST_AUTH
if(checkprefix("Digest", auth) && is_valid_auth_separator(auth[6])) {
if((authp->avail & CURLAUTH_DIGEST) != 0)
infof(data, "Ignoring duplicate digest auth header.");
@@ -1091,6 +1110,7 @@
}
else
#endif
+#ifndef CURL_DISABLE_BASIC_AUTH
if(checkprefix("Basic", auth) &&
is_valid_auth_separator(auth[5])) {
*availp |= CURLAUTH_BASIC;
@@ -1105,6 +1125,8 @@
}
}
else
+#endif
+#ifndef CURL_DISABLE_BEARER_AUTH
if(checkprefix("Bearer", auth) &&
is_valid_auth_separator(auth[6])) {
*availp |= CURLAUTH_BEARER;
@@ -1117,6 +1139,7 @@
data->state.authproblem = TRUE;
}
}
+#endif
/* there may be multiple methods on one line, so keep reading */
while(*auth && *auth != ',') /* read up to the next comma */
diff --git a/lib/http_aws_sigv4.c b/lib/http_aws_sigv4.c
index 686d268..485fcc4 100644
--- a/lib/http_aws_sigv4.c
+++ b/lib/http_aws_sigv4.c
@@ -24,7 +24,7 @@
#include "curl_setup.h"
-#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
+#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_AWS)
#include "urldata.h"
#include "strcase.h"
@@ -646,4 +646,4 @@
return ret;
}
-#endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) */
+#endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_AWS) */
diff --git a/lib/http_digest.c b/lib/http_digest.c
index 8daad99..2db3125 100644
--- a/lib/http_digest.c
+++ b/lib/http_digest.c
@@ -24,7 +24,7 @@
#include "curl_setup.h"
-#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
+#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
#include "urldata.h"
#include "strcase.h"
diff --git a/lib/http_digest.h b/lib/http_digest.h
index 7d5cfc1..5f79731 100644
--- a/lib/http_digest.h
+++ b/lib/http_digest.h
@@ -25,7 +25,7 @@
***************************************************************************/
#include "curl_setup.h"
-#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
+#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
/* this is for digest header input */
CURLcode Curl_input_digest(struct Curl_easy *data,
@@ -39,6 +39,6 @@
void Curl_http_auth_cleanup_digest(struct Curl_easy *data);
-#endif /* !CURL_DISABLE_HTTP && !CURL_DISABLE_CRYPTO_AUTH */
+#endif /* !CURL_DISABLE_HTTP && !CURL_DISABLE_DIGEST_AUTH */
#endif /* HEADER_CURL_HTTP_DIGEST_H */
diff --git a/lib/ldap.c b/lib/ldap.c
index ae40072..33a4dea 100644
--- a/lib/ldap.c
+++ b/lib/ldap.c
@@ -239,7 +239,7 @@
}
else
#endif
-#if !defined(CURL_DISABLE_CRYPTO_AUTH)
+#if !defined(CURL_DISABLE_DIGEST_AUTH)
if(authflags & CURLAUTH_DIGEST) {
method = LDAP_AUTH_DIGEST;
}
diff --git a/lib/md5.c b/lib/md5.c
index 1e1a344..01415af 100644
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -24,7 +24,8 @@
#include "curl_setup.h"
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
+ || !defined(CURL_DISABLE_DIGEST_AUTH)
#include <string.h>
#include <curl/curl.h>
@@ -652,4 +653,4 @@
return CURLE_OK;
}
-#endif /* CURL_DISABLE_CRYPTO_AUTH */
+#endif /* Using NTLM (without SSPI) || Digest */
diff --git a/lib/pop3.c b/lib/pop3.c
index a2ab34a..a9d5fdd 100644
--- a/lib/pop3.c
+++ b/lib/pop3.c
@@ -419,7 +419,7 @@
return result;
}
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#ifndef CURL_DISABLE_DIGEST_AUTH
/***********************************************************************
*
* pop3_perform_apop()
@@ -563,7 +563,7 @@
}
if(!result && progress == SASL_IDLE) {
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#ifndef CURL_DISABLE_DIGEST_AUTH
if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_APOP)
/* Perform APOP authentication */
result = pop3_perform_apop(data, conn);
@@ -831,7 +831,7 @@
pop3_state(data, POP3_STOP); /* Authenticated */
break;
case SASL_IDLE: /* No mechanism left after cancellation */
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#ifndef CURL_DISABLE_DIGEST_AUTH
if(pop3c->authtypes & pop3c->preftype & POP3_TYPE_APOP)
/* Perform APOP authentication */
result = pop3_perform_apop(data, conn);
@@ -852,7 +852,7 @@
return result;
}
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#ifndef CURL_DISABLE_DIGEST_AUTH
/* For APOP responses */
static CURLcode pop3_state_apop_resp(struct Curl_easy *data, int pop3code,
pop3state instate)
@@ -1015,7 +1015,7 @@
result = pop3_state_auth_resp(data, pop3code, pop3c->state);
break;
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#ifndef CURL_DISABLE_DIGEST_AUTH
case POP3_APOP:
result = pop3_state_apop_resp(data, pop3code, pop3c->state);
break;
diff --git a/lib/setopt.c b/lib/setopt.c
index e2e3d85..2cef1b3 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -679,6 +679,7 @@
break;
#endif
+#if !defined(CURL_DISABLE_AWS)
case CURLOPT_AWS_SIGV4:
/*
* String that is merged to some authentication
@@ -692,6 +693,7 @@
if(data->set.str[STRING_AWS_SIGV4])
data->set.httpauth = CURLAUTH_AWS_SIGV4;
break;
+#endif
case CURLOPT_REFERER:
/*
diff --git a/lib/sha256.c b/lib/sha256.c
index 47aa7d5..4a02045 100644
--- a/lib/sha256.c
+++ b/lib/sha256.c
@@ -25,7 +25,8 @@
#include "curl_setup.h"
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#if !defined(CURL_DISABLE_AWS) || !defined(CURL_DISABLE_DIGEST_AUTH) \
+ || defined(USE_LIBSSH2)
#include "warnless.h"
#include "curl_sha256.h"
@@ -541,4 +542,4 @@
};
-#endif /* CURL_DISABLE_CRYPTO_AUTH */
+#endif /* AWS, DIGEST, or libSSH2 */
diff --git a/lib/url.c b/lib/url.c
index cd54523..4f5673e 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -414,7 +414,7 @@
Curl_hsts_cleanup(&data->hsts);
curl_slist_free_all(data->set.hstslist); /* clean up list */
#endif
-#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
+#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
Curl_http_auth_cleanup_digest(data);
#endif
Curl_safefree(data->info.contenttype);
diff --git a/lib/urldata.h b/lib/urldata.h
index 0af5a94..4bfb3b4 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -336,6 +336,7 @@
#include "curl_sspi.h"
#endif
+#ifndef CURL_DISABLE_DIGEST_AUTH
/* Struct used for Digest challenge-response authentication */
struct digestdata {
#if defined(USE_WINDOWS_SSPI)
@@ -359,6 +360,7 @@
BIT(userhash);
#endif
};
+#endif
typedef enum {
NTLMSTATE_NONE,
@@ -1347,7 +1349,7 @@
/* storage for the previous bag^H^H^HSIGPIPE signal handler :-) */
void (*prev_signal)(int sig);
#endif
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#ifndef CURL_DISABLE_DIGEST_AUTH
struct digestdata digest; /* state data for host Digest auth */
struct digestdata proxydigest; /* state data for proxy Digest auth */
#endif
diff --git a/lib/vauth/cram.c b/lib/vauth/cram.c
index 5894ed4..91fb261 100644
--- a/lib/vauth/cram.c
+++ b/lib/vauth/cram.c
@@ -26,7 +26,7 @@
#include "curl_setup.h"
-#if !defined(CURL_DISABLE_CRYPTO_AUTH)
+#ifndef CURL_DISABLE_DIGEST_AUTH
#include <curl/curl.h>
#include "urldata.h"
@@ -94,4 +94,4 @@
return CURLE_OK;
}
-#endif /* !CURL_DISABLE_CRYPTO_AUTH */
+#endif /* !CURL_DISABLE_DIGEST_AUTH */
diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c
index fda2d91..1983d03 100644
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -27,7 +27,7 @@
#include "curl_setup.h"
-#if !defined(CURL_DISABLE_CRYPTO_AUTH)
+#ifndef CURL_DISABLE_DIGEST_AUTH
#include <curl/curl.h>
@@ -992,4 +992,4 @@
}
#endif /* !USE_WINDOWS_SSPI */
-#endif /* CURL_DISABLE_CRYPTO_AUTH */
+#endif /* !CURL_DISABLE_DIGEST_AUTH */
diff --git a/lib/vauth/digest.h b/lib/vauth/digest.h
index 68fdb28..99ce1f9 100644
--- a/lib/vauth/digest.h
+++ b/lib/vauth/digest.h
@@ -26,7 +26,7 @@
#include <curl/curl.h>
-#if !defined(CURL_DISABLE_CRYPTO_AUTH)
+#ifndef CURL_DISABLE_DIGEST_AUTH
#define DIGEST_MAX_VALUE_LENGTH 256
#define DIGEST_MAX_CONTENT_LENGTH 1024
diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c
index 8fb8669..02e36ea 100644
--- a/lib/vauth/digest_sspi.c
+++ b/lib/vauth/digest_sspi.c
@@ -27,7 +27,7 @@
#include "curl_setup.h"
-#if defined(USE_WINDOWS_SSPI) && !defined(CURL_DISABLE_CRYPTO_AUTH)
+#if defined(USE_WINDOWS_SSPI) && !defined(CURL_DISABLE_DIGEST_AUTH)
#include <curl/curl.h>
@@ -665,4 +665,4 @@
Curl_safefree(digest->passwd);
}
-#endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_CRYPTO_AUTH */
+#endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_DIGEST_AUTH */
diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h
index d8cff24..9da0540 100644
--- a/lib/vauth/vauth.h
+++ b/lib/vauth/vauth.h
@@ -30,7 +30,7 @@
struct Curl_easy;
-#if !defined(CURL_DISABLE_CRYPTO_AUTH)
+#if !defined(CURL_DISABLE_DIGEST_AUTH)
struct digestdata;
#endif
@@ -86,7 +86,7 @@
CURLcode Curl_auth_create_external_message(const char *user,
struct bufref *out);
-#if !defined(CURL_DISABLE_CRYPTO_AUTH)
+#ifndef CURL_DISABLE_DIGEST_AUTH
/* This is used to generate a CRAM-MD5 response message */
CURLcode Curl_auth_create_cram_md5_message(const struct bufref *chlg,
const char *userp,
@@ -119,7 +119,7 @@
/* This is used to clean up the digest specific data */
void Curl_auth_digest_cleanup(struct digestdata *digest);
-#endif /* !CURL_DISABLE_CRYPTO_AUTH */
+#endif /* !CURL_DISABLE_DIGEST_AUTH */
#ifdef USE_GSASL
/* This is used to evaluate if MECH is supported by gsasl */
diff --git a/packages/vms/generate_config_vms_h_curl.com b/packages/vms/generate_config_vms_h_curl.com
index 96e2e0c..99a39c8 100644
--- a/packages/vms/generate_config_vms_h_curl.com
+++ b/packages/vms/generate_config_vms_h_curl.com
@@ -237,9 +237,6 @@
$write cvh "#ifdef CURL_DISABLE_COOKIES"
$write cvh "#undef CURL_DISABLE_COOKIES"
$write cvh "#endif"
-$write cvh "#ifdef CURL_DISABLE_CRYPTO_AUTH"
-$write cvh "#undef CURL_DISABLE_CRYPTO_AUTH"
-$write cvh "#endif"
$write cvh "#ifdef CURL_DISABLE_DICT"
$write cvh "#undef CURL_DISABLE_DICT"
$write cvh "#endif"
diff --git a/tests/server/disabled.c b/tests/server/disabled.c
index 82fa854..0b84134 100644
--- a/tests/server/disabled.c
+++ b/tests/server/disabled.c
@@ -43,8 +43,20 @@
#ifdef CURL_DISABLE_COOKIES
"cookies",
#endif
-#ifdef CURL_DISABLE_CRYPTO_AUTH
- "crypto",
+#ifdef CURL_DISABLE_BASIC_AUTH
+ "basic-auth",
+#endif
+#ifdef CURL_DISABLE_BEARER_AUTH
+ "bearer-auth",
+#endif
+#ifdef CURL_DISABLE_DIGEST_AUTH
+ "digest-auth",
+#endif
+#ifdef CURL_DISABLE_NEGOTIATE_AUTH
+ "negotiate-auth",
+#endif
+#ifdef CURL_DISABLE_AWS
+ "aws",
#endif
#ifdef CURL_DISABLE_DOH
"DoH",
diff --git a/tests/unit/unit1601.c b/tests/unit/unit1601.c
index 0bea388..4623bb7 100644
--- a/tests/unit/unit1601.c
+++ b/tests/unit/unit1601.c
@@ -37,7 +37,9 @@
UNITTEST_START
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
+ || !defined(CURL_DISABLE_DIGEST_AUTH)
+
const char string1[] = "1";
const char string2[] = "hello-you-fool";
unsigned char output[MD5_DIGEST_LEN];
diff --git a/tests/unit/unit1610.c b/tests/unit/unit1610.c
index 5624df8..b4c6ef4 100644
--- a/tests/unit/unit1610.c
+++ b/tests/unit/unit1610.c
@@ -39,7 +39,9 @@
UNITTEST_START
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#if !defined(CURL_DISABLE_AWS) || !defined(CURL_DISABLE_DIGEST_AUTH) \
+ || defined(USE_LIBSSH2)
+
const char string1[] = "1";
const char string2[] = "hello-you-fool";
unsigned char output[SHA256_DIGEST_LENGTH];
diff --git a/tests/unit/unit1612.c b/tests/unit/unit1612.c
index 1e99eeb..1f5b34d 100644
--- a/tests/unit/unit1612.c
+++ b/tests/unit/unit1612.c
@@ -38,7 +38,9 @@
UNITTEST_START
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#if (defined(USE_CURL_NTLM_CORE) && !defined(USE_WINDOWS_SSPI)) \
+ || !defined(CURL_DISABLE_DIGEST_AUTH)
+
const char password[] = "Pa55worD";
const char string1[] = "1";
const char string2[] = "hello-you-fool";