git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-12 12:21:42 +08:00
Code Issues Actions 13 Packages Projects Releases Wiki Activity
70a11c6f06
curl-curl/lib/vauth
History
Devdatta Talele 8616e5aada
gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG 
Fixes #19109 - GSSAPI authentication fails on macOS with Apple's Heimdal
implementation which lacks GSS_C_CHANNEL_BOUND_FLAG support for TLS
channel binding.

Commit 0a5ea09a91 introduced TLS channel binding for SPNEGO/GSSAPI
authentication unconditionally, but Apple's Heimdal fork (used on macOS)
does not support this feature, causing "unsupported mechanism" errors
when authenticating to corporate HTTP services with Kerberos.

Solution:
- Add CURL_GSSAPI_HAS_CHANNEL_BINDING detection in curl_gssapi.h based
  on GSS_C_CHANNEL_BOUND_FLAG presence (MIT Kerberos >= 1.19)
- Make negotiatedata.channel_binding_data field conditional in vauth.h
- Guard channel binding collection/cleanup in http_negotiate.c
- Guard channel binding usage in spnego_gssapi.c

This follows the same pattern as GSS_C_DELEG_POLICY_FLAG detection and
ensures graceful degradation when channel binding is unavailable while
maintaining full support for implementations that have it.

Changes:
- lib/curl_gssapi.h: Add feature detection macro
- lib/vauth/vauth.h: Make struct field conditional
- lib/http_negotiate.c: Conditional init/cleanup (2 locations)
- lib/vauth/spnego_gssapi.c: Conditional channel binding usage

Tested on macOS with Apple Heimdal (no channel binding) and Linux with
MIT Kerberos (with channel binding). Both configurations authenticate
successfully without errors.

Closes #19164
2025-11-03 18:16:54 +01:00
..
cleartext.c lib: reduce memcpy calls 2025-10-30 15:40:21 +01:00
cram.c lib: stop overriding system printf symbols 2025-10-06 20:57:59 +02:00
digest_sspi.c lib: reduce memcpy calls 2025-10-30 15:40:21 +01:00
digest.c vauth/digest: improve the digest parser 2025-10-09 22:01:29 +02:00
digest.h lib: add ability to disable auths individually 2023-09-07 17:45:06 +02:00
gsasl.c lib: remove newlines from failf() calls 2025-10-18 23:17:54 +02:00
krb5_gssapi.c krb5_gssapi: fix memory leak on error path 2025-10-09 22:02:16 +02:00
krb5_sspi.c krb5_sspi: the chlg argument is NOT optional 2025-10-06 13:58:43 +02:00
ntlm_sspi.c tidy-up: miscellaneous (cont.) 2025-10-06 22:33:38 +02:00
ntlm.c tidy-up: miscellaneous 2025-10-25 00:19:00 +02:00
oauth2.c lib: stop overriding system printf symbols 2025-10-06 20:57:59 +02:00
spnego_gssapi.c gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG 2025-11-03 18:16:54 +01:00
spnego_sspi.c windows: use native error code types more 2025-10-06 12:12:44 +02:00
vauth.c lib: stop overriding system printf symbols 2025-10-06 20:57:59 +02:00
vauth.h gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG 2025-11-03 18:16:54 +01:00