Ability to disable specific auths (Basic, Bearer, Digest, etc.) and non-standard like AWS. #11490
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
--disable-crypto-auth is already there to disable them all, Basic notwithstanding.
|
Yeah, Basic isn't in there. And there's the case where you need NTLM but Plus this removes AWS and give the ability for fine-grained disabling of individual auths that aren't needed. |
vszakats
reviewed
Jul 21, 2023
Shouldn't this then also include ntlm and negotiate to the mix so that they all are independently controlled the same way? |
Explicitly mark which is default on @vszakats request.
|
…. This will prevent accidental use in the future.
|
Would it make sense to change Also, CMake is missing and the spellcheck job is failing. Apart from that, this PR looks good to me! |
bagder
reviewed
Aug 6, 2023
bagder
reviewed
Aug 15, 2023
…removal of `CURL_DISABLE_CRYPTO_AUTH`.
wyattoday
changed the title
Fixed the spelling and added the CMake changes. I'm all done making the requested changes. All the tests are passing (except for some failures due to the brittleness of the tests, not the code being tested). Should be good for a final review and/or merge. Let me know if there's anything else you want me to address. |
bagder
approved these changes
Sep 7, 2023
|
Thanks! |
ptitSeb
pushed a commit
to wasix-org/curl
that referenced
this pull request
Sep 25, 2023
Both with configure and cmake Closes curl#11490
vszakats
added a commit
to vszakats/curl
that referenced
this pull request
Oct 25, 2023
Follow-up to e92edfb curl#11490 Closes #xxxxx
vszakats
added a commit
to curl/curl-for-win
that referenced
this pull request
Oct 25, 2023
This curl v8.4.0 update: curl/curl@e92edfb curl/curl#11490 deleted a build option we used and replaced it with multiple new ones. autotools now also has a documented defaults for them. Update our options accordingly in cmake and autotools builds.
vszakats
added a commit
to vszakats/curl
that referenced
this pull request
Oct 29, 2023
```
./curl/lib/http.c:737:12: warning: unused variable 'result' [-Wunused-variable]
CURLcode result = CURLE_OK;
^
./curl/lib/http.c:1143:12: warning: empty expression statement has no effect; remove unnecessary ';' to silence this warning [-Wextra-semi-stmt]
;
^
./curl/lib/http.c:995:18: warning: variable 'availp' set but not used [-Wunused-but-set-variable]
unsigned long *availp;
^
./curl/lib/http.c:996:16: warning: variable 'authp' set but not used [-Wunused-but-set-variable]
struct auth *authp;
^
./curl/lib/http.c:979:12: warning: unused function 'is_valid_auth_separator' [-Wunused-function]
static int is_valid_auth_separator(char ch)
^
5 warnings generated.
```
Follow-up to 0d3956b curl#11895
Follow-up to e92edfb curl#11490
Closes #xxxxx
This was referenced Oct 29, 2023
vszakats
added a commit
that referenced
this pull request
Nov 15, 2023
Builds with libssh2 + `-DCURL_DISABLE_DIGEST_AUTH=ON` +
`-DCURL_DISABLE_AWS=ON` in combination with either Schannel on Windows,
or `-DCURL_DISABLE_NTLM=ON` on other operating systems failed while
compiling due to a missing HMAC declaration.
The reason is that HMAC is required by `lib/sha256.c` which publishes
`Curl_sha256it()` which is required by `lib/vssh/libssh2.c` when
building for libssh2 v1.8.2 (2019-05-25) or older.
Make sure to compile the HMAC bits for a successful build.
Both HMAC and `Curl_sha256it()` rely on the same internals, so splitting
them into separate sources isn't practical.
Fixes:
```
[...]
In file included from ./curl/_x64-win-ucrt-cmake-llvm-bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity_0_c.c:310:
./curl/lib/sha256.c:527:42: error: array has incomplete element type 'const struct HMAC_params'
527 | const struct HMAC_params Curl_HMAC_SHA256[] = {
| ^
./curl/lib/curl_sha256.h:34:21: note: forward declaration of 'struct HMAC_params'
[...]
```
Regression from e92edfb #11490
Fixes #12273
Closes #12332
vszakats
added a commit
that referenced
this pull request
Nov 16, 2023
Fix compiler warnings in builds with disabled auths, NTLM and SPNEGO.
E.g. with `CURL_DISABLE_BASIC_AUTH` + `CURL_DISABLE_BEARER_AUTH` +
`CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_NEGOTIATE_AUTH` +
`CURL_DISABLE_NTLM` on non-Windows.
```
./curl/lib/http.c:737:12: warning: unused variable 'result' [-Wunused-variable]
CURLcode result = CURLE_OK;
^
./curl/lib/http.c:995:18: warning: variable 'availp' set but not used [-Wunused-but-set-variable]
unsigned long *availp;
^
./curl/lib/http.c:996:16: warning: variable 'authp' set but not used [-Wunused-but-set-variable]
struct auth *authp;
^
```
Regression from e92edfb #11490
Fixes #12228
Closes #12335
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Dec 22, 2023
The commit e92edfbef644 ("lib: add ability to disable auths
individually") [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and
introduces CMake options for a number crypto protocols.
The patch reflects this change in Tarantool's build infrastructure.
1. curl/curl@e92edfb
2. curl/curl#11490
Follows up tarantool#9086
NO_CHANGELOG=third_party
NO_DOC=third_party
NO_TEST=third_party
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Dec 22, 2023
The commit e92edfbef644 ("lib: add ability to disable auths
individually") [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and
introduces CMake options for a number crypto protocols.
The patch reflects this change in Tarantool's build infrastructure.
1. curl/curl@e92edfb
2. curl/curl#11490
Follows up tarantool#9086
NO_CHANGELOG=third_party
NO_DOC=third_party
NO_TEST=third_party
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Dec 26, 2023
The commit e92edfbef644 ("lib: add ability to disable auths
individually") [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and
introduces CMake options for a number crypto protocols.
The patch reflects this change in Tarantool's build infrastructure.
1. curl/curl@e92edfb
2. curl/curl#11490
Follows up tarantool#9086
NO_CHANGELOG=third_party
NO_DOC=third_party
NO_TEST=third_party
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Dec 26, 2023
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Dec 26, 2023
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party
igormunkin
pushed a commit
to tarantool/tarantool
that referenced
this pull request
Dec 27, 2023
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up #9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Jan 9, 2024
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party (cherry picked from commit c9daf9b)
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Jan 9, 2024
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up tarantool#9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party (cherry picked from commit c9daf9b)
igormunkin
pushed a commit
to tarantool/tarantool
that referenced
this pull request
Jan 10, 2024
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up #9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party (cherry picked from commit c9daf9b)
igormunkin
pushed a commit
to tarantool/tarantool
that referenced
this pull request
Jan 10, 2024
The commit "lib: add ability to disable auths individually" [1][2] in Curl 8.3.0 removes CURL_DISABLE_CRYPTO_AUTH and introduces CMake options for a number crypto protocols. The patch reflects this change in Tarantool's build infrastructure. 1. curl/curl@e92edfb 2. curl/curl#11490 Follows up #9086 NO_CHANGELOG=third_party NO_DOC=third_party NO_TEST=third_party (cherry picked from commit c9daf9b)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the spirit of tiny-curl deprecated, optional, and non-standard code should be able to be compiled-out.
AWS-SIG4 is an organization-specific (namely, Amazon) chunk of code that is not applicable outside of communicating with Amazon servers. It is not standardized. Personally, I think this should be disabled by default in libCurl (and maybe even curl-cli too), but a good place to start is even adding the ability to disable it.
Digest Auth is actually a standard (unlike AWS-SIG4) but has long-since become deprecated (both by standards organizations and by end-user corporations that had previously used Digest).
Lastly, Bearer, Basic, Negotiate, and Kerberos auth types are also configurably disabled. These are all safe authentication methods, but not every user of curl / libcurl will need them. Hence, reduce compiled binary size (and executed run-time checks) when they're not needed.
This PR continues that by adding 6 configure options / defines:
This also removes the general
CURL_DISABLE_CRYPTO_AUTH(as suggested below by @bagder ) since the specific auth-types can be disabled one-by-one.Personally, I think both Digest & AWS should be disabled by default. But this is a good start.
We already deploy and use versions of libcurl with these auths (and AWS) disabled (and have for a few years now).