From: Viktor Szakats <commit@vsz.me>
Date: Fri, 10 Oct 2025 12:37:41 +0000 (+0200)
Subject: GHA/linux: test GNU GSS with autotools, cmake, valgrind and scan-build
X-Git-Tag: rc-8_17_0-1~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9442dd480e9fe4ded646287b5116be27a0cb4efd;p=thirdparty%2Fcurl.git

GHA/linux: test GNU GSS with autotools, cmake, valgrind and scan-build

The cmake build is running runtests with valgrind. The autotools one is
running scan-build.

Also:
- ignore two memleaks with GNU GSS detected by valgrind.
- add comment on support status of `GSS_C_DELEG_POLICY_FLAG`.

Closes #19008
---

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index da49ae67b5..e0e256fbb3 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -93,8 +93,8 @@ jobs:
             install_steps: wolfssl-opensslextra
             configure: LDFLAGS=-Wl,-rpath,/home/runner/wolfssl-opensslextra/lib --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
 
-          - name: 'mbedtls valgrind'
-            install_packages: libnghttp2-dev libidn2-dev libldap-dev valgrind
+          - name: 'mbedtls gss valgrind'
+            install_packages: libnghttp2-dev libidn2-dev libldap-dev libgss-dev valgrind
             install_steps: mbedtls
             generate: >-
               -DCURL_USE_MBEDTLS=ON -DENABLE_DEBUG=ON
@@ -102,6 +102,7 @@ jobs:
               -DMBEDTLS_LIBRARY=/home/runner/mbedtls/lib/libmbedtls.a
               -DMBEDX509_LIBRARY=/home/runner/mbedtls/lib/libmbedx509.a
               -DMBEDCRYPTO_LIBRARY=/home/runner/mbedtls/lib/libmbedcrypto.a
+              -DCURL_USE_GSSAPI=ON
 
           - name: 'mbedtls clang'
             install_packages: libnghttp2-dev libldap-dev clang
@@ -223,7 +224,7 @@ jobs:
               --enable-ech --with-gssapi --enable-ssls-export
 
           - name: 'scan-build'
-            install_packages: clang-tools clang libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libkrb5-dev librtmp-dev libgnutls28-dev
+            install_packages: clang-tools clang libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libgss-dev librtmp-dev libgnutls28-dev
             install_steps: skipall mbedtls rustls wolfssl-opensslextra
             install_steps_brew: gsasl
             CC: clang
@@ -673,6 +674,9 @@ jobs:
         run: |
           if [ "${TEST_TARGET}" = 'test-ci' ] && [[ "${MATRIX_INSTALL_PACKAGES}" = *'valgrind'* ]]; then
             TFLAGS+=' -j6'
+            if [[ "${MATRIX_INSTALL_PACKAGES}" = *'libgss-dev'* ]]; then
+              TFLAGS+=' ~2077 ~2078'  # memory leaks from Curl_auth_decode_spnego_message() -> gss_init_sec_context()
+            fi
           fi
           [ -f ~/venv/bin/activate ] && source ~/venv/bin/activate
           if [[ "${MATRIX_INSTALL_STEPS}" = *'codeset-test'* ]]; then
diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c
index 87f644a908..42ccaa3e29 100644
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@@ -313,7 +313,7 @@ OM_uint32 Curl_gss_init_sec_context(struct Curl_easy *data,
     req_flags |= GSS_C_MUTUAL_FLAG;
 
   if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
-#ifdef GSS_C_DELEG_POLICY_FLAG
+#ifdef GSS_C_DELEG_POLICY_FLAG  /* MIT Kerberos 1.8+, missing from GNU GSS */
     req_flags |= GSS_C_DELEG_POLICY_FLAG;
 #else
     infof(data, "WARNING: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not "