From 73840836a51c443e6b5d385014ce1c8f5be3e02b Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Wed, 25 Jun 2025 01:45:04 +0200 Subject: [PATCH] tests: move GSS-API dynamic stub into debug-mode libcurl Replace the `libstubgss.so`-based overload solution with one built into libcurl at compile-time. The previous, `LD_PRELOAD`-based, solution was non-portable, allowlisted for Linux, BSD and Solaris. It also required non-debug builds, which turned out to be an accidental condition: 7d342c723c5ae8e9312210936287810741f40bc5. It also required a curl tool built against a shared libcurl. Detecting this condition wasn't always accurate, e.g. with certain cmake configurations. The overload solution also didn't work on macOS, though it theoretically should have: - #17653 - #2394 Experiments on making the overload solution work in more envs: - #17759 That revealed that it also did not work on NetBSD, in CI. The replacement solution is overloading the necessary GSS-API functions for test 2056 and 2057 at compile time. It requires a debug-enabled curl build (due to its insecure nature). This makes these tests run on all platforms. Including most GSS jobs in CI, that are running tests. (the exception is old-linux, non-debug jobs, where it felt overkill to enable debug for this.) The refactored GSS stub code needs to overload less than before because it's free to use the official GSS API. (This didn't work with the overload solution on Alpine for example). It can also use libcurl functions, allowing to replace `snprintf()` with `msnprintf()`. OS/400 is also overloading GSS API functions. I haven't tested how this works after this PR. In theory it should, because this PR doesn't rely on preprocessor overrides. Note that for future GSS tests, it may be necessary to stub these GSS API functions: `gss_inquire_context()`, `gss_unwrap()`, `gss_wrap()`. They are on codepaths not (yet) touched by tests. Also: - stub-gss: check for token buffer overrun. - stub-gss: replace size macros with `sizeof()`. - GHA: enable debug for some jobs with GSS. - GHA/linux: ignore results for 2056 and 2057 in the valgrind job. They leak the same way as seen with 2077 and 2078. Ref: 7020ba797961d38c3bf24539f9bb407e0586274d #17462 Ref: 146759716cbacfd453b9fb13d1096f0595424a6c #14430 - GHA/linux: fix to ignore `gss_import_name()` leaks in valgrind builds. only. - lib/vauth/krb5_gssapi: reduce variable scope. - lib/vauth/spnego_gssapi: reduce variable scope. - tests/libtest: drop code and build logic dealing with `libstubgss`. - runtests: - drop `ld_preload` feature. - drop special handling of `LD_PRELOAD` env in tests. - drop logic dealing with shared curl tool detection. - drop `LD_PRELOAD` envs from tests. Follow-up to 56d949d31ad182a22bd3bad25b1a902b635d549d #1687 Closes #17752 --- .github/workflows/linux.yml | 8 +- .github/workflows/macos.yml | 4 +- docs/tests/FILEFORMAT.md | 1 - lib/curl_gssapi.c | 298 ++++++++++++++++++++++- lib/curl_gssapi.h | 25 +- lib/krb5.c | 3 +- lib/socks_gssapi.c | 50 ++-- lib/vauth/krb5_gssapi.c | 6 +- lib/vauth/spnego_gssapi.c | 7 +- tests/data/test2056 | 5 +- tests/data/test2057 | 5 +- tests/globalconfig.pm | 2 - tests/libtest/CMakeLists.txt | 8 +- tests/libtest/Makefile.am | 22 +- tests/libtest/Makefile.inc | 3 - tests/libtest/stub_gssapi.c | 460 ----------------------------------- tests/libtest/stub_gssapi.h | 186 -------------- tests/runner.pm | 12 - tests/runtests.pl | 12 - 19 files changed, 345 insertions(+), 772 deletions(-) delete mode 100644 tests/libtest/stub_gssapi.c delete mode 100644 tests/libtest/stub_gssapi.h diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 297ee54efa..618dd7cfc3 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -279,7 +279,7 @@ jobs: - name: 'Slackware openssl gssapi gcc' # These are essentially the same flags used to build the curl Slackware package # https://ftpmirror.infania.net/slackware/slackware64-current/source/n/curl/curl.SlackBuild - configure: --with-openssl --with-libssh2 --with-gssapi --enable-ares --enable-static=no --without-ca-bundle --with-ca-path=/etc/ssl/certs + configure: --enable-debug --with-openssl --with-libssh2 --with-gssapi --enable-ares --enable-static=no --without-ca-bundle --with-ca-path=/etc/ssl/certs # Docker Hub image that `container-job` executes in container: 'andy5995/slackware-build-essential:15.0' @@ -652,9 +652,9 @@ jobs: fi if [[ "${MATRIX_INSTALL_PACKAGES}" = *'valgrind'* ]]; then TFLAGS+=' -j6' - fi - if [[ "${MATRIX_INSTALL_PACKAGES}" = *'heimdal-dev'* ]]; then - TFLAGS+=' ~2077 ~2078' # valgrind reporting memory leaks from Curl_auth_decode_spnego_message() -> gss_import_name() + if [[ "${MATRIX_INSTALL_PACKAGES}" = *'heimdal-dev'* ]]; then + TFLAGS+=' ~2056 ~2057 ~2077 ~2078' # memory leaks from Curl_auth_decode_spnego_message() -> gss_import_name() + fi fi fi [ -x ~/venv/bin/activate ] && source ~/venv/bin/activate diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index edeb6c7174..f7d1b8facd 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -133,7 +133,7 @@ jobs: generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/quictls -DBUILD_STATIC_LIBS=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON - name: 'LibreSSL !ldap heimdal c-ares +examples' install: libressl heimdal - generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/libressl -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/heimdal -DCURL_DISABLE_LDAP=ON + generate: -DENABLE_DEBUG=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/libressl -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/heimdal -DCURL_DISABLE_LDAP=ON - name: 'wolfSSL !ldap brotli zstd' install: brotli wolfssl zstd install_steps: pytest @@ -143,7 +143,7 @@ jobs: generate: -DCURL_USE_MBEDTLS=ON -DLDAP_INCLUDE_DIR=/opt/homebrew/opt/openldap/include -DLDAP_LIBRARY=/opt/homebrew/opt/openldap/lib/libldap.dylib -DLDAP_LBER_LIBRARY=/opt/homebrew/opt/openldap/lib/liblber.dylib - name: 'GnuTLS !ldap krb5' install: gnutls nettle krb5 - generate: -DCURL_USE_GNUTLS=ON -DCURL_USE_OPENSSL=OFF -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/krb5 -DCURL_DISABLE_LDAP=ON -DUSE_SSLS_EXPORT=ON + generate: -DENABLE_DEBUG=ON -DCURL_USE_GNUTLS=ON -DCURL_USE_OPENSSL=OFF -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/krb5 -DCURL_DISABLE_LDAP=ON -DUSE_SSLS_EXPORT=ON - name: 'OpenSSL torture !FTP' generate: -DENABLE_DEBUG=ON -DBUILD_SHARED_LIBS=OFF -DENABLE_THREADED_RESOLVER=OFF -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl tflags: -t --shallow=25 !FTP diff --git a/docs/tests/FILEFORMAT.md b/docs/tests/FILEFORMAT.md index 98b09ed3a0..1c9cf06ee1 100644 --- a/docs/tests/FILEFORMAT.md +++ b/docs/tests/FILEFORMAT.md @@ -474,7 +474,6 @@ Features testable here are: - `Largefile` - `large-time` (time_t is larger than 32-bit) - `large-size` (size_t is larger than 32-bit) -- `ld_preload` - `libssh2` - `libssh` - `oldlibssh` (versions before 0.9.4) diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c index f83701ad64..4690218050 100644 --- a/lib/curl_gssapi.c +++ b/lib/curl_gssapi.c @@ -52,17 +52,260 @@ gss_OID_desc Curl_krb5_mech_oid CURL_ALIGN8 = { 9, CURL_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; -OM_uint32 Curl_gss_init_sec_context( - struct Curl_easy *data, - OM_uint32 *minor_status, - gss_ctx_id_t *context, - gss_name_t target_name, - gss_OID mech_type, - gss_channel_bindings_t input_chan_bindings, - gss_buffer_t input_token, - gss_buffer_t output_token, - const bool mutual_auth, - OM_uint32 *ret_flags) +#ifdef DEBUGBUILD +enum min_err_code { + STUB_GSS_OK = 0, + STUB_GSS_NO_MEMORY, + STUB_GSS_INVALID_ARGS, + STUB_GSS_INVALID_CREDS, + STUB_GSS_INVALID_CTX, + STUB_GSS_SERVER_ERR, + STUB_GSS_NO_MECH, + STUB_GSS_LAST +}; + +/* libcurl is also passing this struct to these functions, which are not yet + * stubbed: + * gss_inquire_context() + * gss_unwrap() + * gss_wrap() + */ +struct stub_gss_ctx_id_t_desc { + enum { STUB_GSS_NONE, STUB_GSS_KRB5, STUB_GSS_NTLM1, STUB_GSS_NTLM3 } sent; + int have_krb5; + int have_ntlm; + OM_uint32 flags; + char creds[250]; +}; + +static OM_uint32 +stub_gss_init_sec_context(OM_uint32 *min, + gss_cred_id_t initiator_cred_handle, + struct stub_gss_ctx_id_t_desc **context, + gss_name_t target_name, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + gss_buffer_desc *input_token, + gss_OID *actual_mech_type, + gss_buffer_desc *output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec) +{ + struct stub_gss_ctx_id_t_desc *ctx = NULL; + + /* The token will be encoded in base64 */ + size_t length = sizeof(ctx->creds) * 3 / 4; + size_t used = 0; + char *token = NULL; + const char *creds = NULL; + + (void)initiator_cred_handle; + (void)mech_type; + (void)time_req; + (void)input_chan_bindings; + (void)actual_mech_type; + + if(!min) + return GSS_S_FAILURE; + + *min = 0; + + if(!context || !target_name || !output_token) { + *min = STUB_GSS_INVALID_ARGS; + return GSS_S_FAILURE; + } + + creds = getenv("CURL_STUB_GSS_CREDS"); + if(!creds || strlen(creds) >= sizeof(ctx->creds)) { + *min = STUB_GSS_INVALID_CREDS; + return GSS_S_FAILURE; + } + + ctx = *context; + if(ctx && strcmp(ctx->creds, creds)) { + *min = STUB_GSS_INVALID_CREDS; + return GSS_S_FAILURE; + } + + output_token->length = 0; + output_token->value = NULL; + + if(input_token && input_token->length) { + if(!ctx) { + *min = STUB_GSS_INVALID_CTX; + return GSS_S_FAILURE; + } + + /* Server response, either D (RA==) or C (Qw==) */ + if(((char *) input_token->value)[0] == 'D') { + /* Done */ + switch(ctx->sent) { + case STUB_GSS_KRB5: + case STUB_GSS_NTLM3: + if(ret_flags) + *ret_flags = ctx->flags; + if(time_rec) + *time_rec = GSS_C_INDEFINITE; + return GSS_S_COMPLETE; + default: + *min = STUB_GSS_SERVER_ERR; + return GSS_S_FAILURE; + } + } + + if(((char *) input_token->value)[0] != 'C') { + /* We only support Done or Continue */ + *min = STUB_GSS_SERVER_ERR; + return GSS_S_FAILURE; + } + + /* Continue */ + switch(ctx->sent) { + case STUB_GSS_KRB5: + /* We sent KRB5 and it failed, let's try NTLM */ + if(ctx->have_ntlm) { + ctx->sent = STUB_GSS_NTLM1; + break; + } + else { + *min = STUB_GSS_SERVER_ERR; + return GSS_S_FAILURE; + } + case STUB_GSS_NTLM1: + ctx->sent = STUB_GSS_NTLM3; + break; + default: + *min = STUB_GSS_SERVER_ERR; + return GSS_S_FAILURE; + } + } + else { + if(ctx) { + *min = STUB_GSS_INVALID_CTX; + return GSS_S_FAILURE; + } + + ctx = calloc(1, sizeof(*ctx)); + if(!ctx) { + *min = STUB_GSS_NO_MEMORY; + return GSS_S_FAILURE; + } + + if(strstr(creds, "KRB5")) + ctx->have_krb5 = 1; + + if(strstr(creds, "NTLM")) + ctx->have_ntlm = 1; + + if(ctx->have_krb5) + ctx->sent = STUB_GSS_KRB5; + else if(ctx->have_ntlm) + ctx->sent = STUB_GSS_NTLM1; + else { + free(ctx); + *min = STUB_GSS_NO_MECH; + return GSS_S_FAILURE; + } + + strcpy(ctx->creds, creds); + ctx->flags = req_flags; + } + + /* To avoid memdebug macro replacement, wrap the name in parentheses to call + the original version. It is freed via the GSS API gss_release_buffer(). */ + token = (malloc)(length); + if(!token) { + free(ctx); + *min = STUB_GSS_NO_MEMORY; + return GSS_S_FAILURE; + } + + { + gss_buffer_desc target_desc; + gss_OID name_type = GSS_C_NO_OID; + OM_uint32 minor_status; + OM_uint32 major_status; + major_status = gss_display_name(&minor_status, target_name, + &target_desc, &name_type); + if(GSS_ERROR(major_status)) { + (free)(token); + free(ctx); + *min = STUB_GSS_NO_MEMORY; + return GSS_S_FAILURE; + } + + if(strlen(creds) + target_desc.length + 5 >= sizeof(ctx->creds)) { + (free)(token); + free(ctx); + *min = STUB_GSS_NO_MEMORY; + return GSS_S_FAILURE; + } + + /* Token format: creds:target:type:padding */ + used = msnprintf(token, length, "%s:%.*s:%d:", creds, + (int)target_desc.length, (const char *)target_desc.value, + ctx->sent); + + gss_release_buffer(&minor_status, &target_desc); + } + + if(used >= length) { + (free)(token); + free(ctx); + *min = STUB_GSS_NO_MEMORY; + return GSS_S_FAILURE; + } + + /* Overwrite null-terminator */ + memset(token + used, 'A', length - used); + + *context = ctx; + + output_token->value = token; + output_token->length = length; + + return GSS_S_CONTINUE_NEEDED; +} + +static OM_uint32 +stub_gss_delete_sec_context(OM_uint32 *min, + struct stub_gss_ctx_id_t_desc **context, + gss_buffer_t output_token) +{ + (void)output_token; + + if(!min) + return GSS_S_FAILURE; + + if(!context) { + *min = STUB_GSS_INVALID_CTX; + return GSS_S_FAILURE; + } + if(!*context) { + *min = STUB_GSS_INVALID_CTX; + return GSS_S_FAILURE; + } + + free(*context); + *context = NULL; + *min = 0; + + return GSS_S_COMPLETE; +} +#endif /* DEBUGBUILD */ + +OM_uint32 Curl_gss_init_sec_context(struct Curl_easy *data, + OM_uint32 *minor_status, + gss_ctx_id_t *context, + gss_name_t target_name, + gss_OID mech_type, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_buffer_t output_token, + const bool mutual_auth, + OM_uint32 *ret_flags) { OM_uint32 req_flags = GSS_C_REPLAY_FLAG; @@ -74,13 +317,30 @@ OM_uint32 Curl_gss_init_sec_context( req_flags |= GSS_C_DELEG_POLICY_FLAG; #else infof(data, "WARNING: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not " - "compiled in"); + "compiled in"); #endif } if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG) req_flags |= GSS_C_DELEG_FLAG; +#ifdef DEBUGBUILD + if(getenv("CURL_STUB_GSS_CREDS")) + return stub_gss_init_sec_context(minor_status, + GSS_C_NO_CREDENTIAL, /* cred_handle */ + (struct stub_gss_ctx_id_t_desc **)context, + target_name, + mech_type, + req_flags, + 0, /* time_req */ + input_chan_bindings, + input_token, + NULL, /* actual_mech_type */ + output_token, + ret_flags, + NULL /* time_rec */); +#endif /* DEBUGBUILD */ + return gss_init_sec_context(minor_status, GSS_C_NO_CREDENTIAL, /* cred_handle */ context, @@ -96,6 +356,20 @@ OM_uint32 Curl_gss_init_sec_context( NULL /* time_rec */); } +OM_uint32 Curl_gss_delete_sec_context(OM_uint32 *min, + gss_ctx_id_t *context, + gss_buffer_t output_token) +{ +#ifdef DEBUGBUILD + if(getenv("CURL_STUB_GSS_CREDS")) + return stub_gss_delete_sec_context(min, + (struct stub_gss_ctx_id_t_desc **)context, + output_token); +#endif /* DEBUGBUILD */ + + return gss_delete_sec_context(min, context, output_token); +} + #define GSS_LOG_BUFFER_LEN 1024 static size_t display_gss_error(OM_uint32 status, int type, char *buf, size_t len) { diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h index 7b9a534ea2..2659f23460 100644 --- a/lib/curl_gssapi.h +++ b/lib/curl_gssapi.h @@ -32,17 +32,20 @@ extern gss_OID_desc Curl_spnego_mech_oid; extern gss_OID_desc Curl_krb5_mech_oid; /* Common method for using GSS-API */ -OM_uint32 Curl_gss_init_sec_context( - struct Curl_easy *data, - OM_uint32 *minor_status, - gss_ctx_id_t *context, - gss_name_t target_name, - gss_OID mech_type, - gss_channel_bindings_t input_chan_bindings, - gss_buffer_t input_token, - gss_buffer_t output_token, - const bool mutual_auth, - OM_uint32 *ret_flags); +OM_uint32 Curl_gss_init_sec_context(struct Curl_easy *data, + OM_uint32 *minor_status, + gss_ctx_id_t *context, + gss_name_t target_name, + gss_OID mech_type, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_buffer_t output_token, + const bool mutual_auth, + OM_uint32 *ret_flags); + +OM_uint32 Curl_gss_delete_sec_context(OM_uint32 *min, + gss_ctx_id_t *context_handle, + gss_buffer_t output_token); /* Helper to log a GSS-API error status */ void Curl_gss_log_error(struct Curl_easy *data, const char *prefix, diff --git a/lib/krb5.c b/lib/krb5.c index 8ddf843178..b5effa2a1b 100644 --- a/lib/krb5.c +++ b/lib/krb5.c @@ -385,7 +385,8 @@ static void krb5_end(void *app_data) OM_uint32 min; gss_ctx_id_t *context = app_data; if(*context != GSS_C_NO_CONTEXT) { - OM_uint32 maj = gss_delete_sec_context(&min, context, GSS_C_NO_BUFFER); + OM_uint32 maj = Curl_gss_delete_sec_context(&min, context, + GSS_C_NO_BUFFER); (void)maj; DEBUGASSERT(maj == GSS_S_COMPLETE); } diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c index d1a0c302f9..910d50db66 100644 --- a/lib/socks_gssapi.c +++ b/lib/socks_gssapi.c @@ -199,7 +199,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, gss_release_name(&gss_status, &server); gss_release_buffer(&gss_status, &gss_recv_token); gss_release_buffer(&gss_status, &gss_send_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); failf(data, "Failed to initial GSS-API token."); return CURLE_COULDNT_CONNECT; } @@ -217,7 +217,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, gss_release_name(&gss_status, &server); gss_release_buffer(&gss_status, &gss_recv_token); gss_release_buffer(&gss_status, &gss_send_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -229,7 +229,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, gss_release_name(&gss_status, &server); gss_release_buffer(&gss_status, &gss_recv_token); gss_release_buffer(&gss_status, &gss_send_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -254,7 +254,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, if(result || (actualread != 4)) { failf(data, "Failed to receive GSS-API authentication response."); gss_release_name(&gss_status, &server); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -263,7 +263,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, failf(data, "User was rejected by the SOCKS5 server (%d %d).", socksreq[0], socksreq[1]); gss_release_name(&gss_status, &server); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -271,7 +271,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, failf(data, "Invalid GSS-API authentication response type (%d %d).", socksreq[0], socksreq[1]); gss_release_name(&gss_status, &server); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -285,7 +285,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, "Could not allocate memory for GSS-API authentication " "response token."); gss_release_name(&gss_status, &server); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_OUT_OF_MEMORY; } @@ -296,7 +296,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, failf(data, "Failed to receive GSS-API authentication token."); gss_release_name(&gss_status, &server); gss_release_buffer(&gss_status, &gss_recv_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -311,7 +311,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, NULL, NULL, NULL); if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_inquire_context")) { - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); gss_release_name(&gss_status, &gss_client_name); failf(data, "Failed to determine username."); return CURLE_COULDNT_CONNECT; @@ -320,7 +320,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, &gss_send_token, NULL); if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_display_name")) { - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); gss_release_name(&gss_status, &gss_client_name); gss_release_buffer(&gss_status, &gss_send_token); failf(data, "Failed to determine username."); @@ -328,7 +328,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, } user = malloc(gss_send_token.length + 1); if(!user) { - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); gss_release_name(&gss_status, &gss_client_name); gss_release_buffer(&gss_status, &gss_send_token); return CURLE_OUT_OF_MEMORY; @@ -397,7 +397,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, gss_send_token.length = 1; gss_send_token.value = Curl_memdup(&gss_enc, 1); if(!gss_send_token.value) { - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_OUT_OF_MEMORY; } @@ -408,7 +408,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_wrap")) { gss_release_buffer(&gss_status, &gss_send_token); gss_release_buffer(&gss_status, &gss_w_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); failf(data, "Failed to wrap GSS-API encryption value into token."); return CURLE_COULDNT_CONNECT; } @@ -423,7 +423,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, if(code || (4 != nwritten)) { failf(data, "Failed to send GSS-API encryption request."); gss_release_buffer(&gss_status, &gss_w_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -433,7 +433,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, &nwritten); if(code || ( 1 != nwritten)) { failf(data, "Failed to send GSS-API encryption type."); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } } @@ -443,7 +443,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, if(code || (gss_w_token.length != nwritten)) { failf(data, "Failed to send GSS-API encryption type."); gss_release_buffer(&gss_status, &gss_w_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } gss_release_buffer(&gss_status, &gss_w_token); @@ -452,7 +452,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, result = Curl_blockread_all(cf, data, (char *)socksreq, 4, &actualread); if(result || (actualread != 4)) { failf(data, "Failed to receive GSS-API encryption response."); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -460,14 +460,14 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, if(socksreq[1] == 255) { /* status / message type */ failf(data, "User was rejected by the SOCKS5 server (%d %d).", socksreq[0], socksreq[1]); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } if(socksreq[1] != 2) { /* status / message type */ failf(data, "Invalid GSS-API encryption response type (%d %d).", socksreq[0], socksreq[1]); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -477,7 +477,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, gss_recv_token.length = us_length; gss_recv_token.value = malloc(gss_recv_token.length); if(!gss_recv_token.value) { - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_OUT_OF_MEMORY; } result = Curl_blockread_all(cf, data, (char *)gss_recv_token.value, @@ -486,7 +486,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, if(result || (actualread != us_length)) { failf(data, "Failed to receive GSS-API encryption type."); gss_release_buffer(&gss_status, &gss_recv_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -498,7 +498,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_unwrap")) { gss_release_buffer(&gss_status, &gss_recv_token); gss_release_buffer(&gss_status, &gss_w_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); failf(data, "Failed to unwrap GSS-API encryption value into token."); return CURLE_COULDNT_CONNECT; } @@ -508,7 +508,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, failf(data, "Invalid GSS-API encryption response length (%zu).", gss_w_token.length); gss_release_buffer(&gss_status, &gss_w_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -520,7 +520,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, failf(data, "Invalid GSS-API encryption response length (%zu).", gss_recv_token.length); gss_release_buffer(&gss_status, &gss_recv_token); - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_COULDNT_CONNECT; } @@ -537,7 +537,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf, conn->socks5_gssapi_enctype = socksreq[0]; if(socksreq[0] == 0) - gss_delete_sec_context(&gss_status, &gss_context, NULL); + Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL); return CURLE_OK; } diff --git a/lib/vauth/krb5_gssapi.c b/lib/vauth/krb5_gssapi.c index b559040617..78f4be3dc9 100644 --- a/lib/vauth/krb5_gssapi.c +++ b/lib/vauth/krb5_gssapi.c @@ -96,7 +96,6 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data, OM_uint32 major_status; OM_uint32 minor_status; OM_uint32 unused_status; - gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; @@ -104,6 +103,8 @@ CURLcode Curl_auth_create_gssapi_user_message(struct Curl_easy *data, (void) passwdp; if(!krb5->spn) { + gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER; + /* Generate our SPN */ char *spn = Curl_auth_build_spn(service, NULL, host); if(!spn) @@ -315,7 +316,8 @@ void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5) /* Free our security context */ if(krb5->context != GSS_C_NO_CONTEXT) { - gss_delete_sec_context(&minor_status, &krb5->context, GSS_C_NO_BUFFER); + Curl_gss_delete_sec_context(&minor_status, &krb5->context, + GSS_C_NO_BUFFER); krb5->context = GSS_C_NO_CONTEXT; } diff --git a/lib/vauth/spnego_gssapi.c b/lib/vauth/spnego_gssapi.c index b17ee46d17..1e576c7134 100644 --- a/lib/vauth/spnego_gssapi.c +++ b/lib/vauth/spnego_gssapi.c @@ -93,7 +93,6 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, OM_uint32 major_status; OM_uint32 minor_status; OM_uint32 unused_status; - gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; gss_channel_bindings_t chan_bindings = GSS_C_NO_CHANNEL_BINDINGS; @@ -111,6 +110,8 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, } if(!nego->spn) { + gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER; + /* Generate our SPN */ char *spn = Curl_auth_build_spn(service, NULL, host); if(!spn) @@ -267,7 +268,8 @@ void Curl_auth_cleanup_spnego(struct negotiatedata *nego) /* Free our security context */ if(nego->context != GSS_C_NO_CONTEXT) { - gss_delete_sec_context(&minor_status, &nego->context, GSS_C_NO_BUFFER); + Curl_gss_delete_sec_context(&minor_status, &nego->context, + GSS_C_NO_BUFFER); nego->context = GSS_C_NO_CONTEXT; } @@ -276,7 +278,6 @@ void Curl_auth_cleanup_spnego(struct negotiatedata *nego) gss_release_buffer(&minor_status, &nego->output_token); nego->output_token.value = NULL; nego->output_token.length = 0; - } /* Free the SPN */ diff --git a/tests/data/test2056 b/tests/data/test2056 index 4db243eb50..3833663c10 100644 --- a/tests/data/test2056 +++ b/tests/data/test2056 @@ -39,12 +39,9 @@ HTTP Negotiate authentication (stub krb5) GSS-API -ld_preload -!Debug +Debug -LD_PRELOAD=libstubgss.so -LD_LIBRARY_PATH=%PWD/libtest/.libs:%PWD/libtest CURL_STUB_GSS_CREDS="KRB5_Alice" diff --git a/tests/data/test2057 b/tests/data/test2057 index 2385cbc549..7e45ae1214 100644 --- a/tests/data/test2057 +++ b/tests/data/test2057 @@ -55,12 +55,9 @@ HTTP Negotiate authentication (stub NTLM) GSS-API -ld_preload -!Debug +Debug -LD_PRELOAD=libstubgss.so -LD_LIBRARY_PATH=%PWD/libtest/.libs:%PWD/libtest CURL_STUB_GSS_CREDS="NTLM_Alice" diff --git a/tests/globalconfig.pm b/tests/globalconfig.pm index b120250f1b..83c4ccbaed 100644 --- a/tests/globalconfig.pm +++ b/tests/globalconfig.pm @@ -41,7 +41,6 @@ BEGIN { $CURLVERSION $CURLVERNUM $DATE - $has_shared $LIBDIR $UNITDIR $TUNITDIR @@ -141,6 +140,5 @@ our $DNSCMD="dnsd.cmd"; # write DNS instructions here our @protocols; # array of lowercase supported protocol servers our %feature; # hash of enabled features our %keywords; # hash of keywords from the test spec -our $has_shared; # built as a shared library 1; diff --git a/tests/libtest/CMakeLists.txt b/tests/libtest/CMakeLists.txt index ea10fd1cb7..bfd29851cf 100644 --- a/tests/libtest/CMakeLists.txt +++ b/tests/libtest/CMakeLists.txt @@ -22,7 +22,7 @@ # ########################################################################### -# Get BUNDLE, FIRST_C, FIRST_H, UTILS_C, UTILS_H, CURLX_C, TESTS_C, STUB_GSS_C, STUB_GSS_H variables +# Get BUNDLE, FIRST_C, FIRST_H, UTILS_C, UTILS_H, CURLX_C, TESTS_C variables curl_transform_makefile_inc("Makefile.inc" "${CMAKE_CURRENT_BINARY_DIR}/Makefile.inc.cmake") include("${CMAKE_CURRENT_BINARY_DIR}/Makefile.inc.cmake") @@ -61,9 +61,3 @@ set_property(TARGET ${BUNDLE} APPEND PROPERTY COMPILE_DEFINITIONS "CURL_NO_OLDIE set_target_properties(${BUNDLE} PROPERTIES OUTPUT_NAME "${BUNDLE}" PROJECT_LABEL "Test ${BUNDLE}" UNITY_BUILD OFF C_CLANG_TIDY "") curl_clang_tidy_tests(${BUNDLE} ${FIRST_C} ${UTILS_C} ${TESTS_C}) - -if(HAVE_GSSAPI AND UNIX) - add_library(stubgss SHARED EXCLUDE_FROM_ALL ${STUB_GSS_C}) - set_target_properties(stubgss PROPERTIES UNITY_BUILD OFF) - add_dependencies(testdeps stubgss) -endif() diff --git a/tests/libtest/Makefile.am b/tests/libtest/Makefile.am index 5d1646b874..57e5715038 100644 --- a/tests/libtest/Makefile.am +++ b/tests/libtest/Makefile.am @@ -39,7 +39,7 @@ AM_CPPFLAGS = -I$(top_srcdir)/include \ -I$(srcdir) \ -I$(top_srcdir)/tests/unit -# Get BUNDLE, FIRST_C, FIRST_H, UTILS_C, UTILS_H, CURLX_C, TESTS_C, STUB_GSS_C, STUB_GSS_H variables +# Get BUNDLE, FIRST_C, FIRST_H, UTILS_C, UTILS_H, CURLX_C, TESTS_C variables include Makefile.inc EXTRA_DIST = CMakeLists.txt $(FIRST_C) $(FIRST_H) $(UTILS_C) $(UTILS_H) $(TESTS_C) \ @@ -50,8 +50,6 @@ CFLAGS += @CURL_CFLAG_EXTRAS@ # Prevent LIBS from being used for all link targets LIBS = $(BLANK_AT_MAKETIME) -noinst_LTLIBRARIES = - if USE_CPPFLAG_CURL_STATICLIB AM_CPPFLAGS += -DCURL_STATICLIB endif @@ -63,24 +61,6 @@ AM_CPPFLAGS += -DCURLDEBUG endif AM_CPPFLAGS += -DCURL_NO_OLDIES -DCURL_DISABLE_DEPRECATION -AM_LDFLAGS = -AM_CFLAGS = - -# Build a stub gssapi implementation for testing -if BUILD_STUB_GSS -noinst_LTLIBRARIES += libstubgss.la - -libstubgss_la_CPPFLAGS = -libstubgss_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version -rpath /nowhere -if CURL_LT_SHLIB_USE_NO_UNDEFINED -libstubgss_la_LDFLAGS += -no-undefined -endif -libstubgss_la_CFLAGS = $(AM_CFLAGS) -g -libstubgss_la_SOURCES = $(STUB_GSS_C) $(STUB_GSS_H) -libstubgss_la_LIBADD = -libstubgss_la_DEPENDENCIES = -endif - if USE_CPPFLAG_CURL_STATICLIB curlx_c_lib = else diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 59309b0687..138e757eb5 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc @@ -96,6 +96,3 @@ TESTS_C = \ lib3010.c lib3025.c lib3026.c lib3027.c \ lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c \ lib3207.c lib3208.c - -STUB_GSS_C = stub_gssapi.c -STUB_GSS_H = stub_gssapi.h diff --git a/tests/libtest/stub_gssapi.c b/tests/libtest/stub_gssapi.c deleted file mode 100644 index 98aefe85a8..0000000000 --- a/tests/libtest/stub_gssapi.c +++ /dev/null @@ -1,460 +0,0 @@ -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - * SPDX-License-Identifier: curl - * - ***************************************************************************/ - -/* Only provides the bare minimum to link with libcurl */ - -#include -#include -#include - -#include "stub_gssapi.h" - -#define MAX_CREDS_LENGTH 250 -#define APPROX_TOKEN_LEN 250 - -enum min_err_code { - GSS_OK = 0, - GSS_NO_MEMORY, - GSS_INVALID_ARGS, - GSS_INVALID_CREDS, - GSS_INVALID_CTX, - GSS_SERVER_ERR, - GSS_NO_MECH, - GSS_LAST -}; - -static const char *min_err_table[] = { - "stub-gss: no error", - "stub-gss: no memory", - "stub-gss: invalid arguments", - "stub-gss: invalid credentials", - "stub-gss: invalid context", - "stub-gss: server returned error", - "stub-gss: cannot find a mechanism", - NULL -}; - -struct gss_ctx_id_t_desc_struct { - enum { NONE, KRB5, NTLM1, NTLM3 } sent; - int have_krb5; - int have_ntlm; - OM_uint32 flags; - char creds[MAX_CREDS_LENGTH]; -}; - -/* simple implementation of strndup(), which isn't portable */ -static char *my_strndup(const char *ptr, size_t len) -{ - char *copy = malloc(len + 1); - if(!copy) - return NULL; - memcpy(copy, ptr, len); - copy[len] = '\0'; - return copy; -} - -OM_uint32 gss_init_sec_context(OM_uint32 *min, - gss_const_cred_id_t initiator_cred_handle, - gss_ctx_id_t *context_handle, - gss_const_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec) -{ - /* The token will be encoded in base64 */ - size_t length = APPROX_TOKEN_LEN * 3 / 4; - size_t used = 0; - char *token = NULL; - const char *creds = NULL; - gss_ctx_id_t ctx = NULL; - - (void)initiator_cred_handle; - (void)mech_type; - (void)time_req; - (void)input_chan_bindings; - (void)actual_mech_type; - - if(!min) - return GSS_S_FAILURE; - - *min = 0; - - if(!context_handle || !target_name || !output_token) { - *min = GSS_INVALID_ARGS; - return GSS_S_FAILURE; - } - - creds = getenv("CURL_STUB_GSS_CREDS"); - if(!creds || strlen(creds) >= MAX_CREDS_LENGTH) { - *min = GSS_INVALID_CREDS; - return GSS_S_FAILURE; - } - - ctx = *context_handle; - if(ctx && strcmp(ctx->creds, creds)) { - *min = GSS_INVALID_CREDS; - return GSS_S_FAILURE; - } - - output_token->length = 0; - output_token->value = NULL; - - if(input_token && input_token->length) { - if(!ctx) { - *min = GSS_INVALID_CTX; - return GSS_S_FAILURE; - } - - /* Server response, either D (RA==) or C (Qw==) */ - if(((char *) input_token->value)[0] == 'D') { - /* Done */ - switch(ctx->sent) { - case KRB5: - case NTLM3: - if(ret_flags) - *ret_flags = ctx->flags; - if(time_rec) - *time_rec = GSS_C_INDEFINITE; - return GSS_S_COMPLETE; - default: - *min = GSS_SERVER_ERR; - return GSS_S_FAILURE; - } - } - - if(((char *) input_token->value)[0] != 'C') { - /* We only support Done or Continue */ - *min = GSS_SERVER_ERR; - return GSS_S_FAILURE; - } - - /* Continue */ - switch(ctx->sent) { - case KRB5: - /* We sent KRB5 and it failed, let's try NTLM */ - if(ctx->have_ntlm) { - ctx->sent = NTLM1; - break; - } - else { - *min = GSS_SERVER_ERR; - return GSS_S_FAILURE; - } - case NTLM1: - ctx->sent = NTLM3; - break; - default: - *min = GSS_SERVER_ERR; - return GSS_S_FAILURE; - } - } - else { - if(ctx) { - *min = GSS_INVALID_CTX; - return GSS_S_FAILURE; - } - - ctx = (gss_ctx_id_t) calloc(1, sizeof(*ctx)); - if(!ctx) { - *min = GSS_NO_MEMORY; - return GSS_S_FAILURE; - } - - if(strstr(creds, "KRB5")) - ctx->have_krb5 = 1; - - if(strstr(creds, "NTLM")) - ctx->have_ntlm = 1; - - if(ctx->have_krb5) - ctx->sent = KRB5; - else if(ctx->have_ntlm) - ctx->sent = NTLM1; - else { - free(ctx); - *min = GSS_NO_MECH; - return GSS_S_FAILURE; - } - - strcpy(ctx->creds, creds); - ctx->flags = req_flags; - } - - token = malloc(length); - if(!token) { - free(ctx); - *min = GSS_NO_MEMORY; - return GSS_S_FAILURE; - } - - /* Token format: creds:target:type:padding */ - /* Note: this is using the *real* snprintf() and not the curl provided - one */ - used = (size_t) snprintf(token, length, "%s:%s:%d:", creds, - (const char *)target_name, ctx->sent); - - if(used >= length) { - free(token); - free(ctx); - *min = GSS_NO_MEMORY; - return GSS_S_FAILURE; - } - - /* Overwrite null-terminator */ - memset(token + used, 'A', length - used); - - *context_handle = ctx; - - output_token->value = token; - output_token->length = length; - - return GSS_S_CONTINUE_NEEDED; -} - -OM_uint32 gss_delete_sec_context(OM_uint32 *min, - gss_ctx_id_t *context_handle, - gss_buffer_t output_token) -{ - (void)output_token; - - if(!min) - return GSS_S_FAILURE; - - if(!context_handle) { - *min = GSS_INVALID_CTX; - return GSS_S_FAILURE; - } - - free(*context_handle); - *context_handle = NULL; - *min = 0; - - return GSS_S_COMPLETE; -} - -OM_uint32 gss_release_buffer(OM_uint32 *min, - gss_buffer_t buffer) -{ - if(min) - *min = 0; - - if(buffer && buffer->length) { - free(buffer->value); - buffer->length = 0; - } - - return GSS_S_COMPLETE; -} - -OM_uint32 gss_import_name(OM_uint32 *min, - const gss_buffer_t input_name_buffer, - const gss_OID input_name_type, - gss_name_t *output_name) -{ - char *name = NULL; - (void)input_name_type; - - if(!min) - return GSS_S_FAILURE; - - if(!input_name_buffer || !output_name) { - *min = GSS_INVALID_ARGS; - return GSS_S_FAILURE; - } - - name = my_strndup(input_name_buffer->value, input_name_buffer->length); - if(!name) { - *min = GSS_NO_MEMORY; - return GSS_S_FAILURE; - } - - *output_name = (gss_name_t) name; - *min = 0; - - return GSS_S_COMPLETE; -} - -OM_uint32 gss_release_name(OM_uint32 *min, - gss_name_t *input_name) -{ - if(min) - *min = 0; - - if(input_name) - free(*input_name); - - return GSS_S_COMPLETE; -} - -OM_uint32 gss_display_status(OM_uint32 *min, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 *message_context, - gss_buffer_t status_string) -{ - static const char maj_str[] = "Stub GSS error"; - (void)mech_type; - if(min) - *min = 0; - - if(message_context) - *message_context = 0; - - if(status_string) { - status_string->value = NULL; - status_string->length = 0; - - if(status_value >= GSS_LAST) - return GSS_S_FAILURE; - - switch(status_type) { - case GSS_C_GSS_CODE: - status_string->value = strdup(maj_str); - break; - case GSS_C_MECH_CODE: - status_string->value = strdup(min_err_table[status_value]); - break; - default: - return GSS_S_FAILURE; - } - - if(status_string->value) - status_string->length = strlen(status_string->value); - else - return GSS_S_FAILURE; - } - - return GSS_S_COMPLETE; -} - -/* Stubs returning error */ - -OM_uint32 gss_display_name(OM_uint32 *min, - gss_const_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID *output_name_type) -{ - (void)min; - (void)input_name; - (void)output_name_buffer; - (void)output_name_type; - return GSS_S_FAILURE; -} - -OM_uint32 gss_inquire_context(OM_uint32 *min, - gss_const_ctx_id_t context_handle, - gss_name_t *src_name, - gss_name_t *targ_name, - OM_uint32 *lifetime_rec, - gss_OID *mech_type, - OM_uint32 *ctx_flags, - int *locally_initiated, - int *open_context) -{ - (void)min; - (void)context_handle; - (void)src_name; - (void)targ_name; - (void)lifetime_rec; - (void)mech_type; - (void)ctx_flags; - (void)locally_initiated; - (void)open_context; - return GSS_S_FAILURE; -} - -OM_uint32 gss_wrap(OM_uint32 *min, - gss_const_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer) -{ - (void)min; - (void)context_handle; - (void)conf_req_flag; - (void)qop_req; - (void)input_message_buffer; - (void)conf_state; - (void)output_message_buffer; - return GSS_S_FAILURE; -} - -OM_uint32 gss_unwrap(OM_uint32 *min, - gss_const_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state) -{ - (void)min; - (void)context_handle; - (void)input_message_buffer; - (void)output_message_buffer; - (void)conf_state; - (void)qop_state; - return GSS_S_FAILURE; -} - -OM_uint32 gss_seal(OM_uint32 *min, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer) -{ - (void)min; - (void)context_handle; - (void)conf_req_flag; - (void)qop_req; - (void)input_message_buffer; - (void)conf_state; - (void)output_message_buffer; - return GSS_S_FAILURE; -} - -OM_uint32 gss_unseal(OM_uint32 *min, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - int *qop_state) -{ - (void)min; - (void)context_handle; - (void)input_message_buffer; - (void)output_message_buffer; - (void)conf_state; - (void)qop_state; - return GSS_S_FAILURE; -} diff --git a/tests/libtest/stub_gssapi.h b/tests/libtest/stub_gssapi.h deleted file mode 100644 index f02ec81929..0000000000 --- a/tests/libtest/stub_gssapi.h +++ /dev/null @@ -1,186 +0,0 @@ -#ifndef HEADER_CURL_GSSAPI_STUBS_H -#define HEADER_CURL_GSSAPI_STUBS_H -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - * SPDX-License-Identifier: curl - * - ***************************************************************************/ - -/* Roughly based on Heimdal's gssapi.h */ - -/* !checksrc! disable TYPEDEFSTRUCT all */ - -#include -#include - -#define GSS_ERROR(status) (status & 0x80000000) - -#define GSS_S_COMPLETE 0 -#define GSS_S_FAILURE (0x80000000) -#define GSS_S_CONTINUE_NEEDED (1ul) - -#define GSS_C_QOP_DEFAULT 0 -#define GSS_C_NO_OID ((gss_OID) 0) -#define GSS_C_NO_NAME ((gss_name_t) 0) -#define GSS_C_NO_BUFFER ((gss_buffer_t) 0) -#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) -#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) -#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) - -#define GSS_C_NULL_OID GSS_C_NO_OID - -#define GSS_C_EMPTY_BUFFER {0, NULL} - -#define GSS_C_AF_INET 2 - -#define GSS_C_GSS_CODE 1 -#define GSS_C_MECH_CODE 2 - -#define GSS_C_DELEG_FLAG 1 -#define GSS_C_MUTUAL_FLAG 2 -#define GSS_C_REPLAY_FLAG 4 -#define GSS_C_CONF_FLAG 16 -#define GSS_C_INTEG_FLAG 32 - -/* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ -#define GSS_C_INDEFINITE 0xfffffffful - -#define GSS_C_NT_HOSTBASED_SERVICE NULL - -typedef uint32_t OM_uint32; - -typedef OM_uint32 gss_qop_t; - -typedef struct gss_buffer_desc_struct { - size_t length; - void *value; -} gss_buffer_desc, *gss_buffer_t; - -struct gss_cred_id_t_desc_struct; -typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t; -typedef const struct gss_cred_id_t_desc_struct *gss_const_cred_id_t; - -struct gss_ctx_id_t_desc_struct; -typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t; -typedef const struct gss_ctx_id_t_desc_struct *gss_const_ctx_id_t; - -struct gss_name_t_desc_struct; -typedef struct gss_name_t_desc_struct *gss_name_t; -typedef const struct gss_name_t_desc_struct *gss_const_name_t; - -typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; -} gss_OID_desc, *gss_OID; - -typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; -} *gss_channel_bindings_t; - -OM_uint32 gss_release_buffer(OM_uint32 * /* minor_status */, - gss_buffer_t /* buffer */); - -OM_uint32 gss_init_sec_context(OM_uint32 * /* minor_status */, - gss_const_cred_id_t /* initiator_cred_handle */, - gss_ctx_id_t * /* context_handle */, - gss_const_name_t /* target_name */, - const gss_OID /* mech_type */, - OM_uint32 /* req_flags */, - OM_uint32 /* time_req */, - const gss_channel_bindings_t /* input_chan_bindings */, - const gss_buffer_t /* input_token */, - gss_OID * /* actual_mech_type */, - gss_buffer_t /* output_token */, - OM_uint32 * /* ret_flags */, - OM_uint32 * /* time_rec */); - -OM_uint32 gss_delete_sec_context(OM_uint32 * /* minor_status */, - gss_ctx_id_t * /* context_handle */, - gss_buffer_t /* output_token */); - -OM_uint32 gss_inquire_context(OM_uint32 * /* minor_status */, - gss_const_ctx_id_t /* context_handle */, - gss_name_t * /* src_name */, - gss_name_t * /* targ_name */, - OM_uint32 * /* lifetime_rec */, - gss_OID * /* mech_type */, - OM_uint32 * /* ctx_flags */, - int * /* locally_initiated */, - int * /* open_context */); - -OM_uint32 gss_wrap(OM_uint32 * /* minor_status */, - gss_const_ctx_id_t /* context_handle */, - int /* conf_req_flag */, - gss_qop_t /* qop_req */, - const gss_buffer_t /* input_message_buffer */, - int * /* conf_state */, - gss_buffer_t /* output_message_buffer */); - -OM_uint32 gss_unwrap(OM_uint32 * /* minor_status */, - gss_const_ctx_id_t /* context_handle */, - const gss_buffer_t /* input_message_buffer */, - gss_buffer_t /* output_message_buffer */, - int * /* conf_state */, - gss_qop_t * /* qop_state */); - -OM_uint32 gss_seal(OM_uint32 * /* minor_status */, - gss_ctx_id_t /* context_handle n */, - int /* conf_req_flag */, - int /* qop_req */, - gss_buffer_t /* input_message_buffer */, - int * /* conf_state */, - gss_buffer_t /* output_message_buffer */); - -OM_uint32 gss_unseal(OM_uint32 * /* minor_status */, - gss_ctx_id_t /* context_handle */, - gss_buffer_t /* input_message_buffer */, - gss_buffer_t /* output_message_buffer */, - int * /* conf_state */, - int * /* qop_state */); - -OM_uint32 gss_import_name(OM_uint32 * /* minor_status */, - const gss_buffer_t /* input_name_buffer */, - const gss_OID /* input_name_type */, - gss_name_t * /* output_name */); - -OM_uint32 gss_release_name(OM_uint32 * /* minor_status */, - gss_name_t * /* input_name */); - -OM_uint32 gss_display_name(OM_uint32 * /* minor_status */, - gss_const_name_t /* input_name */, - gss_buffer_t /* output_name_buffer */, - gss_OID * /* output_name_type */); - -OM_uint32 gss_display_status(OM_uint32 * /* minor_status */, - OM_uint32 /* status_value */, - int /* status_type */, - const gss_OID /* mech_type */, - OM_uint32 * /* message_context */, - gss_buffer_t /* status_string */); - -#endif /* HEADER_CURL_GSSAPI_STUBS_H */ diff --git a/tests/runner.pm b/tests/runner.pm index 36127c7c03..4df57730e2 100644 --- a/tests/runner.pm +++ b/tests/runner.pm @@ -670,17 +670,6 @@ sub singletest_setenv { if($content =~ /^=(.*)/) { # assign it $content = $1; - - if($var =~ /^LD_PRELOAD/) { - if(exe_ext('TOOL') && (exe_ext('TOOL') eq '.exe')) { - logmsg "Skipping LD_PRELOAD due to lack of OS support\n" if($verbose); - next; - } - if($feature{"Debug"} || !$has_shared) { - logmsg "Skipping LD_PRELOAD due to no release shared build\n" if($verbose); - next; - } - } $ENV{$var} = "$content"; logmsg "setenv $var = $content\n" if($verbose); } @@ -688,7 +677,6 @@ sub singletest_setenv { # remove it delete $ENV{$var} if($ENV{$var}); } - } } if($proxy_address) { diff --git a/tests/runtests.pl b/tests/runtests.pl index 8e3b58bd68..db9054ba1f 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl @@ -545,10 +545,6 @@ sub checksystemfeatures { $curl =~ s/^(.*)(libcurl.*)/$1/g || die "Failure determining curl binary version"; $libcurl = $2; - if($curl =~ /linux|bsd|solaris/i) { - # system supports LD_PRELOAD/LD_LIBRARY_PATH; may be disabled later - $feature{"ld_preload"} = 1; - } if($curl =~ /win32|Windows|windows|mingw(32|64)/) { # This is a Windows MinGW build or native build, we need to use # Windows-style path. @@ -767,9 +763,6 @@ sub checksystemfeatures { close($conf); } - # allow this feature only if debug mode is disabled - $feature{"ld_preload"} = $feature{"ld_preload"} && !$feature{"Debug"}; - if($feature{"IPv6"}) { # client has IPv6 support @@ -823,11 +816,6 @@ sub checksystemfeatures { } # 'socks' was once here but is now removed - $has_shared = `sh $CURLCONFIG --built-shared`; - chomp $has_shared; - $has_shared = $has_shared eq "yes"; - - if($torture) { if(!$feature{"TrackMemory"}) { die "can't run torture tests since curl was built without ". -- 2.47.2