GHA/linux: test GNU GSS with autotools, cmake, valgrind and scan-build

The cmake build is running runtests with valgrind. The autotools one is running scan-build. Also: - ignore two memleaks with GNU GSS detected by valgrind. - add comment on support status of `GSS_C_DELEG_POLICY_FLAG`. Closes #19008
2026-04-11 12:01:42 +08:00 · 2025-10-10 14:37:41 +02:00 · 2025-10-10 14:37:41 +02:00 · 9442dd480e
commit 9442dd480e
parent e5950b2d37
2 changed files with 8 additions and 4 deletions
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -93,8 +93,8 @@ jobs:
            install_steps: wolfssl-opensslextra
            configure: LDFLAGS=-Wl,-rpath,/home/runner/wolfssl-opensslextra/lib --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug

-          - name: 'mbedtls valgrind'
-            install_packages: libnghttp2-dev libidn2-dev libldap-dev valgrind
+          - name: 'mbedtls gss valgrind'
+            install_packages: libnghttp2-dev libidn2-dev libldap-dev libgss-dev valgrind
            install_steps: mbedtls
            generate: >-
              -DCURL_USE_MBEDTLS=ON -DENABLE_DEBUG=ON
@ -102,6 +102,7 @@ jobs:
              -DMBEDTLS_LIBRARY=/home/runner/mbedtls/lib/libmbedtls.a
              -DMBEDX509_LIBRARY=/home/runner/mbedtls/lib/libmbedx509.a
              -DMBEDCRYPTO_LIBRARY=/home/runner/mbedtls/lib/libmbedcrypto.a
+              -DCURL_USE_GSSAPI=ON

          - name: 'mbedtls clang'
            install_packages: libnghttp2-dev libldap-dev clang
@ -223,7 +224,7 @@ jobs:
              --enable-ech --with-gssapi --enable-ssls-export

          - name: 'scan-build'
-            install_packages: clang-tools clang libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libkrb5-dev librtmp-dev libgnutls28-dev
+            install_packages: clang-tools clang libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libgss-dev librtmp-dev libgnutls28-dev
            install_steps: skipall mbedtls rustls wolfssl-opensslextra
            install_steps_brew: gsasl
            CC: clang
@ -673,6 +674,9 @@ jobs:
        run: |
          if [ "${TEST_TARGET}" = 'test-ci' ] && [[ "${MATRIX_INSTALL_PACKAGES}" = *'valgrind'* ]]; then
            TFLAGS+=' -j6'
+            if [[ "${MATRIX_INSTALL_PACKAGES}" = *'libgss-dev'* ]]; then
+              TFLAGS+=' ~2077 ~2078'  # memory leaks from Curl_auth_decode_spnego_message() -> gss_init_sec_context()
+            fi
          fi
          [ -f ~/venv/bin/activate ] && source ~/venv/bin/activate
          if [[ "${MATRIX_INSTALL_STEPS}" = *'codeset-test'* ]]; then
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@ -313,7 +313,7 @@ OM_uint32 Curl_gss_init_sec_context(struct Curl_easy *data,
    req_flags |= GSS_C_MUTUAL_FLAG;

  if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
-#ifdef GSS_C_DELEG_POLICY_FLAG
+#ifdef GSS_C_DELEG_POLICY_FLAG  /* MIT Kerberos 1.8+, missing from GNU GSS */
    req_flags |= GSS_C_DELEG_POLICY_FLAG;
 #else
    infof(data, "WARNING: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not "