From: Viktor Szakats <commit@vsz.me>
Date: Sat, 29 Nov 2025 14:23:58 +0000 (+0100)
Subject: krb5: fix detecting channel binding feature
X-Git-Tag: rc-8_18_0-1~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4aed2dcc897b383b8bb9ae3bf2d7a2246ebccfcd;p=thirdparty%2Fcurl.git

krb5: fix detecting channel binding feature

Use the already detected `gssapi/gssapi_krb5.h` MIT Kerberos header
to pull in `gssapi_ext.h`, which in turn sets `GSS_C_CHANNEL_BOUND_FLAG`
if supported. Channel binding is present in MIT Kerberos 1.19+.

Also:
- lib: de-duplicate GSS-API header includes.
- vauth: de-duplicate `urldata.h` includes.
- drop interim feature macro in favor of the native GSS one.

Assisted-by: Max Faxälv
Reported-by: Max Faxälv
Bug: https://github.com/curl/curl/pull/19164#issuecomment-3551687025
Follow-up to 8616e5aada9c78fb611c60d913c999c8e78c14ba #19164
Closes #19603
Closes #19760
---

diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h
index 1a2bbabdf5..6df7e059d3 100644
--- a/lib/curl_gssapi.h
+++ b/lib/curl_gssapi.h
@@ -28,11 +28,6 @@
 #include "urldata.h"
 
 #ifdef HAVE_GSSAPI
-
-#ifdef GSS_C_CHANNEL_BOUND_FLAG  /* MIT Kerberos 1.19+, missing from GNU GSS */
-#define CURL_GSSAPI_HAS_CHANNEL_BINDING
-#endif
-
 extern gss_OID_desc Curl_spnego_mech_oid;
 extern gss_OID_desc Curl_krb5_mech_oid;
 
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index fc80f80fa3..f31e59c2ca 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -120,7 +120,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
   neg_ctx->sslContext = conn->sslContext;
 #endif
   /* Check if the connection is using SSL and get the channel binding data */
-#ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
 #ifdef USE_SSL
   curlx_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
   if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
@@ -134,13 +134,13 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
 #else
   curlx_dyn_init(&neg_ctx->channel_binding_data, 1);
 #endif /* USE_SSL */
-#endif /* CURL_GSSAPI_HAS_CHANNEL_BINDING */
+#endif /* GSS_C_CHANNEL_BOUND_FLAG */
 
   /* Initialize the security context and decode our challenge */
   result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
                                            host, header, neg_ctx);
 
-#ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
   curlx_dyn_free(&neg_ctx->channel_binding_data);
 #endif
 
diff --git a/lib/urldata.h b/lib/urldata.h
index 561db56ecd..1c91099d15 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -191,12 +191,11 @@ typedef CURLcode (Curl_recv)(struct Curl_easy *data,   /* transfer */
 #ifdef HAVE_GSSAPI
 # ifdef HAVE_GSSGNU
 #  include <gss.h>
-# else
-#  ifdef HAVE_GSSAPI_H
-#   include <gssapi.h>
-#  else
-#   include <gssapi/gssapi.h>
-#  endif
+# elif defined(HAVE_GSSAPI_H)
+#  include <gssapi.h>
+# else /* MIT Kerberos */
+#  include <gssapi/gssapi.h>
+#  include <gssapi/gssapi_krb5.h> /* for GSS_C_CHANNEL_BOUND_FLAG, in 1.19+ */
 # endif
 #endif
 
diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
index 862310111e..c0e59fd273 100644
--- a/lib/vauth/cleartext.c
+++ b/lib/vauth/cleartext.c
@@ -32,7 +32,6 @@
   (!defined(CURL_DISABLE_LDAP) && defined(USE_OPENLDAP))
 
 #include <curl/curl.h>
-#include "../urldata.h"
 
 #include "vauth.h"
 #include "../curlx/warnless.h"
diff --git a/lib/vauth/cram.c b/lib/vauth/cram.c
index 9bc5544a64..6a39a400ee 100644
--- a/lib/vauth/cram.c
+++ b/lib/vauth/cram.c
@@ -29,7 +29,6 @@
 #ifndef CURL_DISABLE_DIGEST_AUTH
 
 #include <curl/curl.h>
-#include "../urldata.h"
 
 #include "vauth.h"
 #include "../curl_hmac.h"
diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c
index c5fea67394..8bcfc7ed6c 100644
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -33,7 +33,6 @@
 
 #include "vauth.h"
 #include "digest.h"
-#include "../urldata.h"
 #include "../curlx/base64.h"
 #include "../curl_hmac.h"
 #include "../curl_md5.h"
diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c
index 550810acda..fc2c139375 100644
--- a/lib/vauth/digest_sspi.c
+++ b/lib/vauth/digest_sspi.c
@@ -33,7 +33,6 @@
 
 #include "vauth.h"
 #include "digest.h"
-#include "../urldata.h"
 #include "../curlx/warnless.h"
 #include "../curlx/multibyte.h"
 #include "../sendf.h"
diff --git a/lib/vauth/gsasl.c b/lib/vauth/gsasl.c
index 8330a4bd71..3888622dbf 100644
--- a/lib/vauth/gsasl.c
+++ b/lib/vauth/gsasl.c
@@ -31,7 +31,6 @@
 #include <curl/curl.h>
 
 #include "vauth.h"
-#include "../urldata.h"
 #include "../sendf.h"
 
 #include <gsasl.h>
diff --git a/lib/vauth/krb5_gssapi.c b/lib/vauth/krb5_gssapi.c
index 1590949d68..7ba21a3941 100644
--- a/lib/vauth/krb5_gssapi.c
+++ b/lib/vauth/krb5_gssapi.c
@@ -33,7 +33,6 @@
 
 #include "vauth.h"
 #include "../curl_sasl.h"
-#include "../urldata.h"
 #include "../curl_gssapi.h"
 #include "../sendf.h"
 
diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c
index 2f82345b98..7317af809a 100644
--- a/lib/vauth/krb5_sspi.c
+++ b/lib/vauth/krb5_sspi.c
@@ -31,7 +31,6 @@
 #include <curl/curl.h>
 
 #include "vauth.h"
-#include "../urldata.h"
 #include "../curlx/warnless.h"
 #include "../curlx/multibyte.h"
 #include "../sendf.h"
diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
index e5eb1de5ef..e47135337a 100644
--- a/lib/vauth/ntlm.c
+++ b/lib/vauth/ntlm.c
@@ -35,7 +35,7 @@
 
 #define DEBUG_ME 0
 
-#include "../urldata.h"
+#include "vauth.h"
 #include "../sendf.h"
 #include "../curl_ntlm_core.h"
 #include "../curl_gethostname.h"
@@ -44,8 +44,6 @@
 #include "../rand.h"
 #include "../vtls/vtls.h"
 #include "../strdup.h"
-
-#include "vauth.h"
 #include "../curl_endian.h"
 
 /* NTLM buffer fixed size, large enough for long user + host + domain */
diff --git a/lib/vauth/ntlm_sspi.c b/lib/vauth/ntlm_sspi.c
index bab319671c..561de27dc3 100644
--- a/lib/vauth/ntlm_sspi.c
+++ b/lib/vauth/ntlm_sspi.c
@@ -29,7 +29,6 @@
 #include <curl/curl.h>
 
 #include "vauth.h"
-#include "../urldata.h"
 #include "../curl_ntlm_core.h"
 #include "../curlx/warnless.h"
 #include "../curlx/multibyte.h"
diff --git a/lib/vauth/oauth2.c b/lib/vauth/oauth2.c
index 3b4d4164f0..c9122debff 100644
--- a/lib/vauth/oauth2.c
+++ b/lib/vauth/oauth2.c
@@ -31,7 +31,6 @@
   (!defined(CURL_DISABLE_LDAP) && defined(USE_OPENLDAP))
 
 #include <curl/curl.h>
-#include "../urldata.h"
 
 #include "vauth.h"
 #include "../curlx/warnless.h"
diff --git a/lib/vauth/spnego_gssapi.c b/lib/vauth/spnego_gssapi.c
index f956f2c03e..3a24e8860a 100644
--- a/lib/vauth/spnego_gssapi.c
+++ b/lib/vauth/spnego_gssapi.c
@@ -31,7 +31,6 @@
 #include <curl/curl.h>
 
 #include "vauth.h"
-#include "../urldata.h"
 #include "../curlx/base64.h"
 #include "../curl_gssapi.h"
 #include "../curlx/warnless.h"
@@ -92,7 +91,7 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
   gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
   gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
   gss_channel_bindings_t chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
-#ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
   struct gss_channel_bindings_struct chan;
 #endif
 
@@ -155,7 +154,7 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
   }
 
   /* Set channel binding data if available */
-#ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
   if(curlx_dyn_len(&nego->channel_binding_data)) {
     memset(&chan, 0, sizeof(struct gss_channel_bindings_struct));
     chan.application_data.length = curlx_dyn_len(&nego->channel_binding_data);
diff --git a/lib/vauth/spnego_sspi.c b/lib/vauth/spnego_sspi.c
index 2b0504f630..2a6548b6d4 100644
--- a/lib/vauth/spnego_sspi.c
+++ b/lib/vauth/spnego_sspi.c
@@ -31,7 +31,6 @@
 #include <curl/curl.h>
 
 #include "vauth.h"
-#include "../urldata.h"
 #include "../curlx/base64.h"
 #include "../curlx/warnless.h"
 #include "../curlx/multibyte.h"
diff --git a/lib/vauth/vauth.c b/lib/vauth/vauth.c
index 4ca6cef7c8..9b87bd2c67 100644
--- a/lib/vauth/vauth.c
+++ b/lib/vauth/vauth.c
@@ -28,7 +28,6 @@
 
 #include "vauth.h"
 #include "../strdup.h"
-#include "../urldata.h"
 #include "../curlx/multibyte.h"
 #include "../url.h"
 
diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h
index 51b9f41c1b..4c98d9b1c1 100644
--- a/lib/vauth/vauth.h
+++ b/lib/vauth/vauth.h
@@ -28,6 +28,7 @@
 
 #include "../bufref.h"
 #include "../curlx/dynbuf.h"
+#include "../urldata.h"
 
 struct Curl_easy;
 struct connectdata;
@@ -233,18 +234,6 @@ CURLcode Curl_auth_create_xoauth_bearer_message(const char *user,
 
 #ifdef USE_KERBEROS5
 
-#ifdef HAVE_GSSAPI
-# ifdef HAVE_GSSGNU
-#  include <gss.h>
-# else
-#  ifdef HAVE_GSSAPI_H
-#   include <gssapi.h>
-#  else
-#   include <gssapi/gssapi.h>
-#  endif
-# endif
-#endif
-
 /* meta key for storing KRB5 meta at connection */
 #define CURL_META_KRB5_CONN   "meta:auth:krb5:conn"
 
@@ -310,7 +299,7 @@ struct negotiatedata {
   gss_ctx_id_t context;
   gss_name_t spn;
   gss_buffer_desc output_token;
-#ifdef CURL_GSSAPI_HAS_CHANNEL_BINDING
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
   struct dynbuf channel_binding_data;
 #endif
 #else
diff --git a/lib/version.c b/lib/version.c
index f02b92fedf..49c15ffcde 100644
--- a/lib/version.c
+++ b/lib/version.c
@@ -77,18 +77,6 @@
 #include <gsasl.h>
 #endif
 
-#ifdef HAVE_GSSAPI
-# ifdef HAVE_GSSGNU
-#  include <gss.h>
-# else
-#  ifdef HAVE_GSSAPI_H
-#   include <gssapi.h>
-#  else
-#   include <gssapi/gssapi.h>
-#  endif
-# endif
-#endif
-
 #ifdef USE_OPENLDAP
 #include <ldap.h>
 #endif