From 6393103b993fa7007ea31808892e20bb574122b8 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 21 Mar 2026 15:37:58 +0100
Subject: [PATCH] lib: make SMB support opt-in

The SMB protocol has weak security and is rarely used these days.

Note that SMB also requires NTLM enabled.

Closes #20846
---
 .github/workflows/windows.yml |  4 ++--
 CMakeLists.txt                |  9 ++++-----
 configure.ac                  | 18 +++++++++---------
 docs/CURL-DISABLE.md          |  4 ++--
 docs/DEPRECATE.md             |  1 +
 docs/INSTALL-CMAKE.md         |  2 +-
 lib/curl_config-cmake.h.in    |  2 +-
 lib/curl_setup.h              |  3 ---
 lib/protocol.c                | 14 +++++++-------
 lib/smb.c                     |  4 ++--
 lib/smb.h                     |  2 +-
 lib/version.c                 |  2 +-
 12 files changed, 31 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 5657038cae..f4ad554a76 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -857,11 +857,11 @@ jobs:
             image: 'windows-11-arm'
             openssh: 'OpenSSH-Windows'
             tflags: '--min=1650'
-            # disable SMB to save 30-60 seconds by omitting prereqs, to counteract the slower test run step
+            # leave SMB disabled to save 30-60 seconds by omitting prereqs,
+            # to counteract the slower test run step
             config: >-
               -DENABLE_DEBUG=ON
               -DCURL_USE_SCHANNEL=ON
-              -DCURL_DISABLE_SMB=ON
               -DUSE_WIN32_IDN=ON -DENABLE_UNICODE=ON -DUSE_SSLS_EXPORT=ON
 
       fail-fast: false
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7ca3897780..32cbeebde7 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -494,8 +494,8 @@ option(CURL_DISABLE_SHA512_256 "Disable SHA-512/256 hash algorithm" OFF)
 mark_as_advanced(CURL_DISABLE_SHA512_256)
 option(CURL_DISABLE_SHUFFLE_DNS "Disable shuffle DNS feature" OFF)
 mark_as_advanced(CURL_DISABLE_SHUFFLE_DNS)
-option(CURL_DISABLE_SMB "Disable SMB" OFF)
-mark_as_advanced(CURL_DISABLE_SMB)
+option(CURL_ENABLE_SMB "Enable SMB" OFF)
+mark_as_advanced(CURL_ENABLE_SMB)
 option(CURL_DISABLE_SMTP "Disable SMTP" OFF)
 mark_as_advanced(CURL_DISABLE_SMTP)
 option(CURL_DISABLE_SOCKETPAIR "Disable use of socketpair for curl_multi_poll()" OFF)
@@ -540,7 +540,6 @@ if(HTTP_ONLY)
   set(CURL_DISABLE_MQTT ON)
   set(CURL_DISABLE_POP3 ON)
   set(CURL_DISABLE_RTSP ON)
-  set(CURL_DISABLE_SMB ON)
   set(CURL_DISABLE_SMTP ON)
   set(CURL_DISABLE_TELNET ON)
   set(CURL_DISABLE_TFTP ON)
@@ -1972,9 +1971,9 @@ curl_add_if("POP3"          NOT CURL_DISABLE_POP3)
 curl_add_if("POP3S"         NOT CURL_DISABLE_POP3 AND _ssl_enabled)
 curl_add_if("IMAP"          NOT CURL_DISABLE_IMAP)
 curl_add_if("IMAPS"         NOT CURL_DISABLE_IMAP AND _ssl_enabled)
-curl_add_if("SMB"           NOT CURL_DISABLE_SMB AND
+curl_add_if("SMB"           CURL_ENABLE_SMB AND
                             _use_curl_ntlm_core AND (SIZEOF_CURL_OFF_T GREATER 4))
-curl_add_if("SMBS"          NOT CURL_DISABLE_SMB AND _ssl_enabled AND
+curl_add_if("SMBS"          CURL_ENABLE_SMB AND _ssl_enabled AND
                             _use_curl_ntlm_core AND (SIZEOF_CURL_OFF_T GREATER 4))
 curl_add_if("SMTP"          NOT CURL_DISABLE_SMTP)
 curl_add_if("SMTPS"         NOT CURL_DISABLE_SMTP AND _ssl_enabled)
diff --git a/configure.ac b/configure.ac
index 23e4b07cfd..5208a18d75 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1018,19 +1018,19 @@ AS_HELP_STRING([--disable-imap],[Disable IMAP support]),
 
 AC_MSG_CHECKING([whether to support smb])
 AC_ARG_ENABLE(smb,
-AS_HELP_STRING([--enable-smb],[Enable SMB/CIFS support])
-AS_HELP_STRING([--disable-smb],[Disable SMB/CIFS support]),
+AS_HELP_STRING([--enable-smb],[Enable SMB support])
+AS_HELP_STRING([--disable-smb],[Disable SMB support]),
 [ case "$enableval" in
-  no)
-    AC_MSG_RESULT(no)
-    AC_DEFINE(CURL_DISABLE_SMB, 1, [to disable SMB/CIFS])
-    CURL_DISABLE_SMB=1
+  yes)
+    AC_MSG_RESULT(yes)
+    AC_DEFINE(CURL_ENABLE_SMB, 1, [to enable SMB])
+    CURL_ENABLE_SMB=1
     ;;
   *)
-    AC_MSG_RESULT(yes)
+    AC_MSG_RESULT(no)
     ;;
   esac ],
-    AC_MSG_RESULT(yes)
+    AC_MSG_RESULT(no)
 )
 
 AC_MSG_CHECKING([whether to support smtp])
@@ -5302,7 +5302,7 @@ if test "$CURL_DISABLE_IMAP" != "1"; then
     SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS IMAPS"
   fi
 fi
-if test "$CURL_DISABLE_SMB" != "1" && test "$use_curl_ntlm_core" = "yes"; then
+if test "$CURL_ENABLE_SMB" = "1" && test "$use_curl_ntlm_core" = "yes"; then
   SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SMB"
   if test "$SSL_ENABLED" = "1"; then
     SUPPORT_PROTOCOLS="$SUPPORT_PROTOCOLS SMBS"
diff --git a/docs/CURL-DISABLE.md b/docs/CURL-DISABLE.md
index 9663ebe765..a6a1ea1661 100644
--- a/docs/CURL-DISABLE.md
+++ b/docs/CURL-DISABLE.md
@@ -157,9 +157,9 @@ Disable the SHA-512/256 hash algorithm.
 
 Disable the shuffle DNS feature
 
-## `CURL_DISABLE_SMB`
+## `CURL_ENABLE_SMB`
 
-Disable the SMB(S) protocols
+Enable the SMB(S) protocols
 
 ## `CURL_DISABLE_SMTP`
 
diff --git a/docs/DEPRECATE.md b/docs/DEPRECATE.md
index 6aaa9936c3..807b79ac0f 100644
--- a/docs/DEPRECATE.md
+++ b/docs/DEPRECATE.md
@@ -27,6 +27,7 @@ TLS-SRP support gets removed in August 2026.
 ## SMB goes opt-in
 
 The SMB protocol has weak security and is rarely used these days. After curl
+
 8.19.0 SMB support becomes opt-in.
 
 ## NTLM goes opt-in
diff --git a/docs/INSTALL-CMAKE.md b/docs/INSTALL-CMAKE.md
index 7178a457d2..7b50151f4b 100644
--- a/docs/INSTALL-CMAKE.md
+++ b/docs/INSTALL-CMAKE.md
@@ -310,7 +310,7 @@ target_link_libraries(my_target PRIVATE CURL::libcurl)
 - `CURL_DISABLE_RTSP`:                      Disable RTSP. Default: `OFF`
 - `CURL_DISABLE_SHA512_256`:                Disable SHA-512/256 hash algorithm. Default: `OFF`
 - `CURL_DISABLE_SHUFFLE_DNS`:               Disable shuffle DNS feature. Default: `OFF`
-- `CURL_DISABLE_SMB`:                       Disable SMB. Default: `OFF`
+- `CURL_ENABLE_SMB`:                        Enable SMB. Default: `OFF`
 - `CURL_DISABLE_SMTP`:                      Disable SMTP. Default: `OFF`
 - `CURL_DISABLE_SOCKETPAIR`:                Disable use of socketpair for curl_multi_poll(). Default: `OFF`
 - `CURL_DISABLE_SRP`:                       Disable TLS-SRP support. Default: `OFF`
diff --git a/lib/curl_config-cmake.h.in b/lib/curl_config-cmake.h.in
index b58db10c54..17a2aabde4 100644
--- a/lib/curl_config-cmake.h.in
+++ b/lib/curl_config-cmake.h.in
@@ -146,7 +146,7 @@
 #cmakedefine CURL_DISABLE_SHUFFLE_DNS 1
 
 /* disables SMB */
-#cmakedefine CURL_DISABLE_SMB 1
+#cmakedefine CURL_ENABLE_SMB 1
 
 /* disables SMTP */
 #cmakedefine CURL_DISABLE_SMTP 1
diff --git a/lib/curl_setup.h b/lib/curl_setup.h
index 46a1f5c14a..d9d5aa885a 100644
--- a/lib/curl_setup.h
+++ b/lib/curl_setup.h
@@ -258,9 +258,6 @@
 #  ifndef CURL_DISABLE_RTSP
 #  define CURL_DISABLE_RTSP
 #  endif
-#  ifndef CURL_DISABLE_SMB
-#  define CURL_DISABLE_SMB
-#  endif
 #  ifndef CURL_DISABLE_SMTP
 #  define CURL_DISABLE_SMTP
 #  endif
diff --git a/lib/protocol.c b/lib/protocol.c
index 5d6cf8de80..ccd4f3f69d 100644
--- a/lib/protocol.c
+++ b/lib/protocol.c
@@ -309,10 +309,10 @@ const struct Curl_scheme Curl_scheme_scp = {
 
 const struct Curl_scheme Curl_scheme_smb = {
   "smb",                                /* scheme */
-#if defined(CURL_DISABLE_SMB) || !defined(USE_CURL_NTLM_CORE)
-  ZERO_NULL,
-#else
+#if defined(CURL_ENABLE_SMB) && defined(USE_CURL_NTLM_CORE)
   &Curl_protocol_smb,
+#else
+  ZERO_NULL,
 #endif
   CURLPROTO_SMB,                        /* protocol */
   CURLPROTO_SMB,                        /* family */
@@ -322,11 +322,11 @@ const struct Curl_scheme Curl_scheme_smb = {
 
 const struct Curl_scheme Curl_scheme_smbs = {
   "smbs",                               /* scheme */
-#if defined(CURL_DISABLE_SMB) || !defined(USE_CURL_NTLM_CORE) || \
-  !defined(USE_SSL)
-  ZERO_NULL,
-#else
+#if defined(CURL_ENABLE_SMB) && defined(USE_CURL_NTLM_CORE) &&  \
+  defined(USE_SSL)
   &Curl_protocol_smb,
+#else
+  ZERO_NULL,
 #endif
   CURLPROTO_SMBS,                       /* protocol */
   CURLPROTO_SMB,                        /* family */
diff --git a/lib/smb.c b/lib/smb.c
index 08192b90ac..47b9949540 100644
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -25,7 +25,7 @@
 #include "curl_setup.h"
 #include "urldata.h"
 
-#if !defined(CURL_DISABLE_SMB) && defined(USE_CURL_NTLM_CORE)
+#if defined(CURL_ENABLE_SMB) && defined(USE_CURL_NTLM_CORE)
 
 #ifdef HAVE_ARPA_INET_H
 #include <arpa/inet.h>  /* for htons() */
@@ -1228,4 +1228,4 @@ const struct Curl_protocol Curl_protocol_smb = {
   ZERO_NULL,                            /* follow */
 };
 
-#endif /* CURL_DISABLE_SMB && USE_CURL_NTLM_CORE && SIZEOF_CURL_OFF_T > 4 */
+#endif /* CURL_ENABLE_SMB && USE_CURL_NTLM_CORE && SIZEOF_CURL_OFF_T > 4 */
diff --git a/lib/smb.h b/lib/smb.h
index cbcef11a12..5a92ad13db 100644
--- a/lib/smb.h
+++ b/lib/smb.h
@@ -24,7 +24,7 @@
  * SPDX-License-Identifier: curl
  *
  ***************************************************************************/
-#if !defined(CURL_DISABLE_SMB) && defined(USE_CURL_NTLM_CORE)
+#if defined(CURL_ENABLE_SMB) && defined(USE_CURL_NTLM_CORE)
 extern const struct Curl_protocol Curl_protocol_smb;
 #endif
 
diff --git a/lib/version.c b/lib/version.c
index 6f5971b487..e5a6f8d80b 100644
--- a/lib/version.c
+++ b/lib/version.c
@@ -345,7 +345,7 @@ static const char * const supported_protocols[] = {
   "scp",
   "sftp",
 #endif
-#if !defined(CURL_DISABLE_SMB) && defined(USE_CURL_NTLM_CORE)
+#if defined(CURL_ENABLE_SMB) && defined(USE_CURL_NTLM_CORE)
   "smb",
 #  ifdef USE_SSL
   "smbs",