From: Viktor Szakats Date: Wed, 8 Oct 2025 10:03:18 +0000 (+0200) Subject: build: drop Heimdal support, update docs, replace with MIT Kerberos in CI X-Git-Tag: rc-8_17_0-1~53 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8be9a26451d466571864a608bc48cc77746ff00d;p=thirdparty%2Fcurl.git build: drop Heimdal support, update docs, replace with MIT Kerberos in CI The kerberos5 library Heimdal is one of three GSS libraries curl support. It has a memory leak triggered by the new test in #18917 and the project seems mostly abandoned. Drop support and steer users to the MIT krb5 or GNU GSS libraries. Co-authored-by: Daniel Stenberg Ref: #18928 Closes #18928 Closes #18932 --- diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cc882a51a3..58eaa35be5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -76,7 +76,7 @@ jobs: sudo apt-get -o Dpkg::Use-Pty=0 update sudo rm -f /var/lib/man-db/auto-update sudo apt-get -o Dpkg::Use-Pty=0 install libpsl-dev libbrotli-dev libidn2-dev libssh2-1-dev libssh-dev \ - libnghttp2-dev libldap-dev heimdal-dev librtmp-dev libgnutls28-dev libwolfssl-dev + libnghttp2-dev libldap-dev libkrb5-dev librtmp-dev libgnutls28-dev libwolfssl-dev HOMEBREW_NO_AUTO_UPDATE=1 /home/linuxbrew/.linuxbrew/bin/brew install c-ares gsasl libnghttp3 libngtcp2 mbedtls rustls-ffi - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/linux-old.yml b/.github/workflows/linux-old.yml index 6c5b18c2cf..fde23de811 100644 --- a/.github/workflows/linux-old.yml +++ b/.github/workflows/linux-old.yml @@ -68,7 +68,7 @@ jobs: dpkg -i freexian-archive-keyring_2022.06.08_all.deb echo 'deb http://deb.freexian.com/extended-lts stretch-lts main contrib non-free' | tee /etc/apt/sources.list.d/extended-lts.list apt-get -o Dpkg::Use-Pty=0 update - apt-get -o Dpkg::Use-Pty=0 install -y --no-install-suggests --no-install-recommends cmake make automake autoconf libtool gcc pkg-config libpsl-dev libzstd-dev zlib1g-dev libgnutls28-dev libc-ares-dev heimdal-dev libldap2-dev librtmp-dev stunnel4 groff + apt-get -o Dpkg::Use-Pty=0 install -y --no-install-suggests --no-install-recommends cmake make automake autoconf libtool gcc pkg-config libpsl-dev libzstd-dev zlib1g-dev libgnutls28-dev libc-ares-dev libkrb5-dev libldap2-dev librtmp-dev stunnel4 groff # GitHub's actions/checkout needs newer glibc and libstdc++. The latter also depends on # gcc-8-base, but it doesn't actually seem used in our situation and isn't available in # the main repo, so force the install. diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index d01fb4a0b9..da49ae67b5 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -69,13 +69,13 @@ jobs: fail-fast: false matrix: build: - - name: 'libressl heimdal' - install_packages: libidn2-dev libnghttp2-dev libldap-dev heimdal-dev + - name: 'libressl krb5' + install_packages: libidn2-dev libnghttp2-dev libldap-dev libkrb5-dev install_steps: libressl pytest codeset-test configure: LDFLAGS=-Wl,-rpath,/home/runner/libressl/lib --with-openssl=/home/runner/libressl --with-gssapi --enable-debug - - name: 'libressl heimdal valgrind' - install_packages: libnghttp2-dev libldap-dev heimdal-dev valgrind + - name: 'libressl krb5 valgrind' + install_packages: libnghttp2-dev libldap-dev libkrb5-dev valgrind install_steps: libressl generate: -DOPENSSL_ROOT_DIR=/home/runner/libressl -DCURL_USE_GSSAPI=ON -DENABLE_DEBUG=ON -DCURL_LIBCURL_VERSIONED_SYMBOLS=ON @@ -365,7 +365,7 @@ jobs: run: | apk add --no-cache build-base autoconf automake libtool perl openssl-dev \ libssh2-dev zlib-dev brotli-dev zstd-dev libidn2-dev openldap-dev \ - heimdal-dev libpsl-dev c-ares-dev \ + krb5-dev libpsl-dev c-ares-dev \ py3-impacket py3-asn1 py3-six py3-pycryptodomex \ perl-time-hires openssh stunnel sudo git openssl @@ -671,13 +671,8 @@ jobs: TEST_TARGET: ${{ matrix.build.torture && 'test-torture' || 'test-ci' }} TFLAGS: '${{ matrix.build.tflags }}' run: | - if [ "${TEST_TARGET}" = 'test-ci' ]; then - if [[ "${MATRIX_INSTALL_PACKAGES}" = *'valgrind'* ]]; then - TFLAGS+=' -j6' - if [[ "${MATRIX_INSTALL_PACKAGES}" = *'heimdal-dev'* ]]; then - TFLAGS+=' ~2056 ~2057 ~2077 ~2078' # memory leaks from Curl_auth_decode_spnego_message() -> gss_import_name() - fi - fi + if [ "${TEST_TARGET}" = 'test-ci' ] && [[ "${MATRIX_INSTALL_PACKAGES}" = *'valgrind'* ]]; then + TFLAGS+=' -j6' fi [ -f ~/venv/bin/activate ] && source ~/venv/bin/activate if [[ "${MATRIX_INSTALL_STEPS}" = *'codeset-test'* ]]; then diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index b4bbc8ea79..7e85cb71e1 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -294,17 +294,17 @@ jobs: - name: 'HTTP/3 clang-tidy' compiler: clang - install: llvm brotli zstd libnghttp3 libngtcp2 openldap heimdal + install: llvm brotli zstd libnghttp3 libngtcp2 openldap krb5 install_steps: clang-tidy skipall generate: >- -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl -DUSE_NGTCP2=ON -DLDAP_INCLUDE_DIR=/opt/homebrew/opt/openldap/include -DLDAP_LIBRARY=/opt/homebrew/opt/openldap/lib/libldap.dylib -DLDAP_LBER_LIBRARY=/opt/homebrew/opt/openldap/lib/liblber.dylib - -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/heimdal + -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/krb5 -DCURL_CLANG_TIDY=ON -DCLANG_TIDY=/opt/homebrew/opt/llvm/bin/clang-tidy - - name: 'LibreSSL openldap heimdal c-ares +examples' - install: libressl heimdal openldap - generate: -DENABLE_DEBUG=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/libressl -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/heimdal -DLDAP_INCLUDE_DIR=/opt/homebrew/opt/openldap/include -DLDAP_LIBRARY=/opt/homebrew/opt/openldap/lib/libldap.dylib -DLDAP_LBER_LIBRARY=/opt/homebrew/opt/openldap/lib/liblber.dylib + - name: 'LibreSSL openldap krb5 c-ares +examples' + install: libressl krb5 openldap + generate: -DENABLE_DEBUG=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/libressl -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/krb5 -DLDAP_INCLUDE_DIR=/opt/homebrew/opt/openldap/include -DLDAP_LIBRARY=/opt/homebrew/opt/openldap/lib/libldap.dylib -DLDAP_LBER_LIBRARY=/opt/homebrew/opt/openldap/lib/liblber.dylib - name: 'wolfSSL !ldap brotli zstd' install: brotli wolfssl zstd install_steps: pytest diff --git a/.github/workflows/non-native.yml b/.github/workflows/non-native.yml index f0368a9240..8dccb9e399 100644 --- a/.github/workflows/non-native.yml +++ b/.github/workflows/non-native.yml @@ -61,7 +61,7 @@ jobs: architecture: ${{ matrix.arch }} run: | # https://pkgsrc.se/ - time sudo pkgin -y install cmake ninja-build pkg-config perl brotli heimdal openldap-client libssh2 libidn2 libpsl nghttp2 py311-impacket + time sudo pkgin -y install cmake ninja-build pkg-config perl brotli mit-krb5 openldap-client libssh2 libidn2 libpsl nghttp2 py311-impacket time cmake -B bld -G Ninja \ -DCMAKE_INSTALL_PREFIX="$HOME"/curl-install \ -DCMAKE_UNITY_BUILD=ON \ @@ -164,10 +164,10 @@ jobs: # https://ports.freebsd.org/ if [ "${MATRIX_BUILD}" = 'cmake' ]; then time sudo pkg install -y cmake-core ninja perl5 \ - pkgconf brotli openldap26-client libidn2 libnghttp2 stunnel py311-impacket + pkgconf brotli krb5-devel openldap26-client libidn2 libnghttp2 stunnel py311-impacket else time sudo pkg install -y autoconf automake libtool \ - pkgconf brotli openldap26-client libidn2 libnghttp2 stunnel py311-impacket + pkgconf brotli krb5-devel openldap26-client libidn2 libnghttp2 stunnel py311-impacket export MAKEFLAGS=-j3 fi diff --git a/CMake/FindGSS.cmake b/CMake/FindGSS.cmake index 18c84556c0..21d756c2bc 100644 --- a/CMake/FindGSS.cmake +++ b/CMake/FindGSS.cmake @@ -29,8 +29,8 @@ # # Result variables: # -# - `GSS_FOUND`: System has the Heimdal library. -# - `GSS_FLAVOUR`: "GNU", "MIT" or "Heimdal" if anything found. +# - `GSS_FOUND`: System has a GSS library. +# - `GSS_FLAVOUR`: "GNU" or "MIT" if anything found. # - `GSS_INCLUDE_DIRS`: The GSS include directories. # - `GSS_LIBRARIES`: The GSS library names. # - `GSS_LIBRARY_DIRS`: The GSS library directories. @@ -41,7 +41,6 @@ set(_gnu_modname "gss") set(_mit_modname "mit-krb5-gssapi") -set(_heimdal_modname "heimdal-gssapi") include(CheckIncludeFile) include(CheckIncludeFiles) @@ -56,7 +55,7 @@ set(_gss_LIBRARY_DIRS "") if(NOT GSS_ROOT_DIR AND NOT "$ENV{GSS_ROOT_DIR}") if(CURL_USE_PKGCONFIG) find_package(PkgConfig QUIET) - pkg_search_module(_gss ${_gnu_modname} ${_mit_modname} ${_heimdal_modname}) + pkg_search_module(_gss ${_gnu_modname} ${_mit_modname}) list(APPEND _gss_root_hints "${_gss_PREFIX}") set(_gss_version "${_gss_VERSION}") endif() @@ -137,14 +136,8 @@ if(NOT _gss_FOUND) # Not found by pkg-config. Let us take more traditional appr OUTPUT_STRIP_TRAILING_WHITESPACE) # Older versions may not have the "--vendor" parameter. In this case we just do not care. - if(_gss_configure_failed) - set(GSS_FLAVOUR "Heimdal") # most probably, should not really matter - else() - if(_gss_vendor MATCHES "Heimdal|heimdal") - set(GSS_FLAVOUR "Heimdal") - else() - set(GSS_FLAVOUR "MIT") - endif() + if(NOT _gss_configure_failed AND NOT _gss_vendor MATCHES "Heimdal|heimdal") + set(GSS_FLAVOUR "MIT") # assume a default, should not really matter endif() else() # Either there is no config script or we are on a platform that does not provide one (Windows?) @@ -155,33 +148,19 @@ if(NOT _gss_FOUND) # Not found by pkg-config. Let us take more traditional appr cmake_push_check_state() list(APPEND CMAKE_REQUIRED_INCLUDES "${_gss_INCLUDE_DIRS}") check_include_files("gssapi/gssapi_generic.h;gssapi/gssapi_krb5.h" _gss_have_mit_headers) + cmake_pop_check_state() if(_gss_have_mit_headers) set(GSS_FLAVOUR "MIT") - else() - # Prevent compiling the header - just check if we can include it - list(APPEND CMAKE_REQUIRED_DEFINITIONS "-D__ROKEN_H__") - check_include_file("roken.h" _gss_have_roken_h) - - check_include_file("heimdal/roken.h" _gss_have_heimdal_roken_h) - if(_gss_have_roken_h OR _gss_have_heimdal_roken_h) - set(GSS_FLAVOUR "Heimdal") - endif() endif() - cmake_pop_check_state() else() # I am not convinced if this is the right way but this is what autotools do at the moment find_path(_gss_INCLUDE_DIRS NAMES "gssapi.h" HINTS ${_gss_root_hints} PATH_SUFFIXES "include" "inc") + find_path(_gss_INCLUDE_DIRS NAMES "gss.h" HINTS ${_gss_root_hints} PATH_SUFFIXES "include") if(_gss_INCLUDE_DIRS) - set(GSS_FLAVOUR "Heimdal") - else() - find_path(_gss_INCLUDE_DIRS NAMES "gss.h" HINTS ${_gss_root_hints} PATH_SUFFIXES "include") - - if(_gss_INCLUDE_DIRS) - set(GSS_FLAVOUR "GNU") - set(GSS_PC_REQUIRES "gss") - endif() + set(GSS_FLAVOUR "GNU") + set(GSS_PC_REQUIRES "gss") endif() endif() @@ -201,35 +180,32 @@ if(NOT _gss_FOUND) # Not found by pkg-config. Let us take more traditional appr list(APPEND _gss_libdir_suffixes "lib/AMD64") if(GSS_FLAVOUR STREQUAL "GNU") set(_gss_libname "gss") - elseif(GSS_FLAVOUR STREQUAL "MIT") + else() # MIT set(_gss_libname "gssapi64") - else() - set(_gss_libname "libgssapi") endif() else() list(APPEND _gss_libdir_suffixes "lib/i386") if(GSS_FLAVOUR STREQUAL "GNU") set(_gss_libname "gss") - elseif(GSS_FLAVOUR STREQUAL "MIT") + else() # MIT set(_gss_libname "gssapi32") - else() - set(_gss_libname "libgssapi") endif() endif() else() list(APPEND _gss_libdir_suffixes "lib;lib64") # those suffixes are not checked for HINTS if(GSS_FLAVOUR STREQUAL "GNU") set(_gss_libname "gss") - elseif(GSS_FLAVOUR STREQUAL "MIT") + else() # MIT set(_gss_libname "gssapi_krb5") - else() - set(_gss_libname "gssapi") endif() endif() find_library(_gss_LIBRARIES NAMES ${_gss_libname} HINTS ${_gss_libdir_hints} PATH_SUFFIXES ${_gss_libdir_suffixes}) endif() endif() + if(NOT GSS_FLAVOUR) + message(FATAL_ERROR "GNU or MIT GSS is required") + endif() else() # _gss_MODULE_NAME set since CMake 3.16. # _pkg_check_modules_pkg_name is undocumented and used as a fallback for CMake <3.16 versions. @@ -240,8 +216,7 @@ else() set(GSS_FLAVOUR "MIT") set(GSS_PC_REQUIRES "mit-krb5-gssapi") else() - set(GSS_FLAVOUR "Heimdal") - set(GSS_PC_REQUIRES "heimdal-gssapi") + message(FATAL_ERROR "GNU or MIT GSS is required") endif() message(STATUS "Found GSS/${GSS_FLAVOUR} (via pkg-config): ${_gss_INCLUDE_DIRS} (found version \"${_gss_version}\")") endif() @@ -254,25 +229,8 @@ set(GSS_LIBRARY_DIRS ${_gss_LIBRARY_DIRS}) set(GSS_CFLAGS ${_gss_CFLAGS}) set(GSS_VERSION ${_gss_version}) -if(GSS_FLAVOUR) - if(NOT GSS_VERSION AND GSS_FLAVOUR STREQUAL "Heimdal") - if(CMAKE_SIZEOF_VOID_P EQUAL 8) - set(_heimdal_manifest_file "Heimdal.Application.amd64.manifest") - else() - set(_heimdal_manifest_file "Heimdal.Application.x86.manifest") - endif() - - if(EXISTS "${GSS_INCLUDE_DIRS}/${_heimdal_manifest_file}") - file(STRINGS "${GSS_INCLUDE_DIRS}/${_heimdal_manifest_file}" _heimdal_version_str - REGEX "^.*version=\"[0-9]\\.[^\"]+\".*$") - - string(REGEX MATCH "[0-9]\\.[^\"]+" GSS_VERSION "${_heimdal_version_str}") - endif() - - if(NOT GSS_VERSION) - set(GSS_VERSION "Heimdal Unknown") - endif() - elseif(NOT GSS_VERSION AND GSS_FLAVOUR STREQUAL "MIT") +if(NOT GSS_VERSION) + if(GSS_FLAVOUR STREQUAL "MIT") if(CMAKE_VERSION VERSION_GREATER_EQUAL 3.24) cmake_host_system_information(RESULT _mit_version QUERY WINDOWS_REGISTRY "HKLM/SOFTWARE/MIT/Kerberos/SDK/CurrentVersion" VALUE "VersionString") @@ -285,7 +243,7 @@ if(GSS_FLAVOUR) else() set(GSS_VERSION "MIT Unknown") endif() - elseif(NOT GSS_VERSION AND GSS_FLAVOUR STREQUAL "GNU") + else() # GNU if(GSS_INCLUDE_DIRS AND EXISTS "${GSS_INCLUDE_DIRS}/gss.h") set(_version_regex "#[\t ]*define[\t ]+GSS_VERSION[\t ]+\"([^\"]*)\"") file(STRINGS "${GSS_INCLUDE_DIRS}/gss.h" _version_str REGEX "${_version_regex}") diff --git a/CMakeLists.txt b/CMakeLists.txt index 3b5ed10f80..f711dff04a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1442,36 +1442,36 @@ if(CURL_USE_GSSAPI) if(GSS_FLAVOUR STREQUAL "GNU") set(HAVE_GSSGNU 1) - else() + else() # MIT cmake_push_check_state() list(APPEND CMAKE_REQUIRED_INCLUDES "${GSS_INCLUDE_DIRS}") set(_include_list "") + check_include_file("gssapi/gssapi.h" HAVE_GSSAPI_GSSAPI_H) if(HAVE_GSSAPI_GSSAPI_H) list(APPEND _include_list "gssapi/gssapi.h") endif() - check_include_files("${_include_list};gssapi/gssapi_generic.h" HAVE_GSSAPI_GSSAPI_GENERIC_H) - if(GSS_FLAVOUR STREQUAL "MIT") - check_include_files("${_include_list};gssapi/gssapi_krb5.h" _have_gssapi_gssapi_krb5_h) - if(HAVE_GSSAPI_GSSAPI_GENERIC_H) - list(APPEND _include_list "gssapi/gssapi_generic.h") - endif() - if(_have_gssapi_gssapi_krb5_h) - list(APPEND _include_list "gssapi/gssapi_krb5.h") - endif() + check_include_files("${_include_list};gssapi/gssapi_generic.h" HAVE_GSSAPI_GSSAPI_GENERIC_H) + check_include_files("${_include_list};gssapi/gssapi_krb5.h" _have_gssapi_gssapi_krb5_h) + if(HAVE_GSSAPI_GSSAPI_GENERIC_H) + list(APPEND _include_list "gssapi/gssapi_generic.h") + endif() + if(_have_gssapi_gssapi_krb5_h) + list(APPEND _include_list "gssapi/gssapi_krb5.h") + endif() - if(NOT DEFINED HAVE_GSS_C_NT_HOSTBASED_SERVICE) - string(APPEND CMAKE_REQUIRED_FLAGS " ${GSS_CFLAGS}") - list(APPEND CMAKE_REQUIRED_LIBRARIES "${GSS_LIBRARIES}") - curl_required_libpaths("${GSS_LIBRARY_DIRS}") - check_symbol_exists("GSS_C_NT_HOSTBASED_SERVICE" "${_include_list}" HAVE_GSS_C_NT_HOSTBASED_SERVICE) - endif() - if(NOT HAVE_GSS_C_NT_HOSTBASED_SERVICE) - set(HAVE_OLD_GSSMIT ON) - endif() + if(NOT DEFINED HAVE_GSS_C_NT_HOSTBASED_SERVICE) + string(APPEND CMAKE_REQUIRED_FLAGS " ${GSS_CFLAGS}") + list(APPEND CMAKE_REQUIRED_LIBRARIES "${GSS_LIBRARIES}") + curl_required_libpaths("${GSS_LIBRARY_DIRS}") + check_symbol_exists("GSS_C_NT_HOSTBASED_SERVICE" "${_include_list}" HAVE_GSS_C_NT_HOSTBASED_SERVICE) + endif() + if(NOT HAVE_GSS_C_NT_HOSTBASED_SERVICE) + set(HAVE_OLD_GSSMIT ON) endif() + unset(_include_list) cmake_pop_check_state() endif() diff --git a/RELEASE-NOTES b/RELEASE-NOTES index d80ceae5fc..47c7dd5255 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -102,7 +102,6 @@ This release includes the following bugfixes: o httpsrr: free old pointers when storing new [57] o INSTALL-CMAKE.md: document useful build targets [215] o INTERNALS: drop Winsock 2.2 from the dependency list [162] - o INTERNALS: specify minimum version for Heimdal: 7.1.0 [158] o ip-happy: do not set unnecessary timeout [95] o ip-happy: prevent event-based stall on retry [155] o krb5: return appropriate error on send failures [22] @@ -448,7 +447,6 @@ References to bug reports and discussions on issues: [155] = https://curl.se/bug/?i=18815 [156] = https://curl.se/bug/?i=18893 [157] = https://curl.se/bug/?i=18806 - [158] = https://curl.se/bug/?i=18809 [159] = https://curl.se/bug/?i=18924 [160] = https://curl.se/bug/?i=18810 [161] = https://curl.se/bug/?i=18749 diff --git a/configure.ac b/configure.ac index c90606f507..c76be65e96 100644 --- a/configure.ac +++ b/configure.ac @@ -1840,7 +1840,7 @@ if test x"$want_gss" = xyes; then gnu_gss=yes ], [ - dnl not found, check Heimdal or MIT + dnl not found, check for MIT AC_CHECK_HEADERS([gssapi/gssapi.h], [], [not_mit=1]) AC_CHECK_HEADERS( [gssapi/gssapi_generic.h gssapi/gssapi_krb5.h], @@ -1853,15 +1853,8 @@ if test x"$want_gss" = xyes; then #endif ]) if test "x$not_mit" = "x1"; then - dnl MIT not found, check for Heimdal - AC_CHECK_HEADER(gssapi.h, - [], - [ - dnl no header found, disabling GSS - want_gss=no - AC_MSG_WARN(disabling GSS-API support since no header files were found) - ] - ) + dnl MIT not found + AC_MSG_ERROR([MIT or GNU GSS library required, but not found]) else dnl MIT found dnl check if we have a really old MIT Kerberos version (<= 1.2) @@ -1894,7 +1887,7 @@ fi if test x"$want_gss" = xyes; then AC_DEFINE(HAVE_GSSAPI, 1, [if you have GSS-API libraries]) HAVE_GSSAPI=1 - curl_gss_msg="enabled (MIT Kerberos/Heimdal)" + curl_gss_msg="enabled (MIT Kerberos)" link_pkgconfig='' if test -n "$gnu_gss"; then @@ -1961,8 +1954,6 @@ if test x"$want_gss" = xyes; then if test -n "$link_pkgconfig"; then if test -n "$gnu_gss"; then LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE gss" - elif test "x$not_mit" = "x1"; then - LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE heimdal-gssapi" else LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE mit-krb5-gssapi" fi diff --git a/docs/INSTALL-CMAKE.md b/docs/INSTALL-CMAKE.md index a0430bbfa4..46215747e7 100644 --- a/docs/INSTALL-CMAKE.md +++ b/docs/INSTALL-CMAKE.md @@ -474,7 +474,7 @@ the parent project, ideally in the "extra" find package redirect file: Available variables: - `HAVE_GNUTLS_SRP`: `gnutls_srp_verifier` present in GnuTLS. -- `HAVE_GSS_C_NT_HOSTBASED_SERVICE`: `GSS_C_NT_HOSTBASED_SERVICE` present in GSS/Heimdal/Kerberos. +- `HAVE_GSS_C_NT_HOSTBASED_SERVICE`: `GSS_C_NT_HOSTBASED_SERVICE` present in GSS/Kerberos. - `HAVE_LDAP_INIT_FD`: `ldap_init_fd` present in LDAP library. - `HAVE_LDAP_URL_PARSE`: `ldap_url_parse` present in LDAP library. - `HAVE_OPENSSL_SRP`: `SSL_CTX_set_srp_username` present in OpenSSL (or fork). diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md index 84b939f4dc..3ad1b3e8c2 100644 --- a/docs/INTERNALS.md +++ b/docs/INTERNALS.md @@ -36,7 +36,6 @@ versions of libs and build tools. - wolfSSL 3.4.6 - OpenLDAP 2.0 - MIT Kerberos 1.2.4 - - Heimdal 7.1.0 - nghttp2 1.15.0 ## Build tools diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS index 5b7df42bda..c9beb28361 100644 --- a/docs/KNOWN_BUGS +++ b/docs/KNOWN_BUGS @@ -38,7 +38,6 @@ problems may have been fixed or changed somewhat since this was written. 5.2 curl-config --libs contains private details 5.3 LDFLAGS passed too late making libs linked incorrectly 5.6 Cygwin: make install installs curl-config.1 twice - 5.11 configure --with-gssapi with Heimdal is ignored on macOS 5.12 flaky CI builds 5.13 long paths are not fully supported on Windows 5.15 Unicode on Windows @@ -49,7 +48,6 @@ problems may have been fixed or changed somewhat since this was written. 6.5 NTLM does not support password with Unicode 'SECTION SIGN' character 6.6 libcurl can fail to try alternatives with --proxy-any 6.7 Do not clear digest for single realm - 6.8 Heimdal memory leaks 6.9 SHA-256 digest not supported in Windows SSPI builds 6.10 curl never completes Negotiate over HTTP 6.11 Negotiate on Windows fails @@ -238,12 +236,6 @@ problems may have been fixed or changed somewhat since this was written. https://github.com/curl/curl/issues/8839 -5.11 configure --with-gssapi with Heimdal is ignored on macOS - - ... unless you also pass --with-gssapi-libs - - https://github.com/curl/curl/issues/3841 - 5.12 flaky CI builds We run many CI builds for each commit and PR on github, and especially a @@ -342,13 +334,6 @@ problems may have been fixed or changed somewhat since this was written. https://github.com/curl/curl/issues/3267 -6.8 Heimdal memory leaks - - Running test 2077 and 2078 with curl built to do GSS with Heimdal causes - valgrind errors (memory leak). - - https://github.com/curl/curl/issues/14446 - 6.9 SHA-256 digest not supported in Windows SSPI builds Windows builds of curl that have SSPI enabled use the native Windows API calls diff --git a/docs/TODO b/docs/TODO index 4db3f5f4ed..65d735d1be 100644 --- a/docs/TODO +++ b/docs/TODO @@ -496,8 +496,8 @@ 4.6 GSSAPI via Windows SSPI In addition to currently supporting the SASL GSSAPI mechanism (Kerberos V5) - via third-party GSS-API libraries, such as Heimdal or MIT Kerberos, also add - support for GSSAPI authentication via Windows SSPI. + via third-party GSS-API libraries, such as MIT Kerberos, also add support + for GSSAPI authentication via Windows SSPI. 4.7 STAT for LIST without data connection