Use the already detected `gssapi/gssapi_krb5.h` MIT Kerberos header
to pull in `gssapi_ext.h`, which in turn sets `GSS_C_CHANNEL_BOUND_FLAG`
if supported. Channel binding is present in MIT Kerberos 1.19+.
Also:
- lib: de-duplicate GSS-API header includes.
- vauth: de-duplicate `urldata.h` includes.
- drop interim feature macro in favor of the native GSS one.
Assisted-by: Max Faxälv
Reported-by: Max Faxälv
Bug: https://github.com/curl/curl/pull/19164#issuecomment-
3551687025
Follow-up to
8616e5aada9c78fb611c60d913c999c8e78c14ba #19164
Closes #19603
Closes #19760
#include "urldata.h"
#ifdef HAVE_GSSAPI
-
-#ifdef GSS_C_CHANNEL_BOUND_FLAG /* MIT Kerberos 1.19+, missing from GNU GSS */
-#define CURL_GSSAPI_HAS_CHANNEL_BINDING
-#endif
-
extern gss_OID_desc Curl_spnego_mech_oid;
extern gss_OID_desc Curl_krb5_mech_oid;
neg_ctx->sslContext = conn->sslContext;
#endif
/* Check if the connection is using SSL and get the channel binding data */
-#ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
#ifdef USE_SSL
curlx_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
#else
curlx_dyn_init(&neg_ctx->channel_binding_data, 1);
#endif /* USE_SSL */
-#endif /* CURL_GSSAPI_HAS_CHANNEL_BINDING */
+#endif /* GSS_C_CHANNEL_BOUND_FLAG */
/* Initialize the security context and decode our challenge */
result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
host, header, neg_ctx);
-#ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
curlx_dyn_free(&neg_ctx->channel_binding_data);
#endif
#ifdef HAVE_GSSAPI
# ifdef HAVE_GSSGNU
# include <gss.h>
-# else
-# ifdef HAVE_GSSAPI_H
-# include <gssapi.h>
-# else
-# include <gssapi/gssapi.h>
-# endif
+# elif defined(HAVE_GSSAPI_H)
+# include <gssapi.h>
+# else /* MIT Kerberos */
+# include <gssapi/gssapi.h>
+# include <gssapi/gssapi_krb5.h> /* for GSS_C_CHANNEL_BOUND_FLAG, in 1.19+ */
# endif
#endif
(!defined(CURL_DISABLE_LDAP) && defined(USE_OPENLDAP))
#include <curl/curl.h>
-#include "../urldata.h"
#include "vauth.h"
#include "../curlx/warnless.h"
#ifndef CURL_DISABLE_DIGEST_AUTH
#include <curl/curl.h>
-#include "../urldata.h"
#include "vauth.h"
#include "../curl_hmac.h"
#include "vauth.h"
#include "digest.h"
-#include "../urldata.h"
#include "../curlx/base64.h"
#include "../curl_hmac.h"
#include "../curl_md5.h"
#include "vauth.h"
#include "digest.h"
-#include "../urldata.h"
#include "../curlx/warnless.h"
#include "../curlx/multibyte.h"
#include "../sendf.h"
#include <curl/curl.h>
#include "vauth.h"
-#include "../urldata.h"
#include "../sendf.h"
#include <gsasl.h>
#include "vauth.h"
#include "../curl_sasl.h"
-#include "../urldata.h"
#include "../curl_gssapi.h"
#include "../sendf.h"
#include <curl/curl.h>
#include "vauth.h"
-#include "../urldata.h"
#include "../curlx/warnless.h"
#include "../curlx/multibyte.h"
#include "../sendf.h"
#define DEBUG_ME 0
-#include "../urldata.h"
+#include "vauth.h"
#include "../sendf.h"
#include "../curl_ntlm_core.h"
#include "../curl_gethostname.h"
#include "../rand.h"
#include "../vtls/vtls.h"
#include "../strdup.h"
-
-#include "vauth.h"
#include "../curl_endian.h"
/* NTLM buffer fixed size, large enough for long user + host + domain */
#include <curl/curl.h>
#include "vauth.h"
-#include "../urldata.h"
#include "../curl_ntlm_core.h"
#include "../curlx/warnless.h"
#include "../curlx/multibyte.h"
(!defined(CURL_DISABLE_LDAP) && defined(USE_OPENLDAP))
#include <curl/curl.h>
-#include "../urldata.h"
#include "vauth.h"
#include "../curlx/warnless.h"
#include <curl/curl.h>
#include "vauth.h"
-#include "../urldata.h"
#include "../curlx/base64.h"
#include "../curl_gssapi.h"
#include "../curlx/warnless.h"
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
gss_channel_bindings_t chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
-#ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
struct gss_channel_bindings_struct chan;
#endif
}
/* Set channel binding data if available */
-#ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
if(curlx_dyn_len(&nego->channel_binding_data)) {
memset(&chan, 0, sizeof(struct gss_channel_bindings_struct));
chan.application_data.length = curlx_dyn_len(&nego->channel_binding_data);
#include <curl/curl.h>
#include "vauth.h"
-#include "../urldata.h"
#include "../curlx/base64.h"
#include "../curlx/warnless.h"
#include "../curlx/multibyte.h"
#include "vauth.h"
#include "../strdup.h"
-#include "../urldata.h"
#include "../curlx/multibyte.h"
#include "../url.h"
#include "../bufref.h"
#include "../curlx/dynbuf.h"
+#include "../urldata.h"
struct Curl_easy;
struct connectdata;
#ifdef USE_KERBEROS5
-#ifdef HAVE_GSSAPI
-# ifdef HAVE_GSSGNU
-# include <gss.h>
-# else
-# ifdef HAVE_GSSAPI_H
-# include <gssapi.h>
-# else
-# include <gssapi/gssapi.h>
-# endif
-# endif
-#endif
-
/* meta key for storing KRB5 meta at connection */
#define CURL_META_KRB5_CONN "meta:auth:krb5:conn"
gss_ctx_id_t context;
gss_name_t spn;
gss_buffer_desc output_token;
-#ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
struct dynbuf channel_binding_data;
#endif
#else
#include <gsasl.h>
#endif
-#ifdef HAVE_GSSAPI
-# ifdef HAVE_GSSGNU
-# include <gss.h>
-# else
-# ifdef HAVE_GSSAPI_H
-# include <gssapi.h>
-# else
-# include <gssapi/gssapi.h>
-# endif
-# endif
-#endif
-
#ifdef USE_OPENLDAP
#include <ldap.h>
#endif
projects / thirdparty / curl.git / commitdiff
