CURLOPT_GSSAPI_DELEGATION exposes distinct modes:
CURLGSSAPI_DELEGATION_POLICY_FLAG is documented as delegating only when
OK-AS-DELEGATE policy permits it, while CURLGSSAPI_DELEGATION_FLAG is
unconditional. The new SSPI implementation checks for either bit and
sets ISC_REQ_DELEGATE, so a caller requesting policy-limited delegation
is put on the same SSPI path as unconditional delegation.
In addition, curl's existing protection that avoids reusing a connection
when the GSS delegation setting differs was guarded only by HAVE_GSSAPI;
SSPI-only builds now have an effective delegation option, but the
connection's delegation setting was neither copied nor compared. This
would cause Windows SSPI Negotiate/Kerberos authentication to delegate
credentials contrary to the caller's selected policy or reuse an
already-delegated authenticated connection for a transfer that requested
no delegation.
Follow-up to cc6777d939
Reported by Codex Security
Closes#21583
The SASL service name, used in authentication, is part of curl's credentials
when authenticating to a server/proxy. Make it part of `struct Curl_creds`.
Change code to use `creds` to obtain a service name. By tying creds used
to the connection, connection reuse is also only allowed when the service
name matches.
Closes#21585
Authorizdation credentials are kept in `struct Curl_creds`. This contains:
* `user`: the username, maybe the empty string
* `passwd`: the password, maybe the empty string
* `sasl_authzid`: the SASL authz value, maybe the empty string
* `oauth_bearer`: the OAUTH bearer token, maybe the empty string
* `source`: where the credentials from from
* `refcount`: a reference counter to link/unkink creds
A `creds` with all values empty is equivalent to NULL, e.g. no `creds`
instance. With reference counting, `creds` can be linked/unlinked
in several places.
See docs/internals/CREDENTIALS.md for use.
Closes#21548
Make CURLOPT_GSSAPI_DELEGATION effective on Windows builds that use SSPI
(instead of a native GSS-API implementation), so Kerberos delegation can
be requested during SPNEGO/Negotiate authentication.
Closes#21528
Previously, the use of checkprefix() alone allowed the code to match not
only on "blksize" but also (mistakenly) on "blksizeFOO" etc.
Reported-by: Andrew Nesbit
Closes#21560
The events on a multi wakeup socketpair were only consumed via
curl_multi_poll()/curl_multi_wait() but not in event based processing on
a curl_multi_socket() call. That led to busy loops as reported in
Fixes#21547
Reported-by: Earnestly on github
Closes#21549
- disable DES with nettle 4. It no longer supports it.
```
lib/curl_ntlm_core.c:67:12: fatal error: 'nettle/des.h' file not found
67 | # include <nettle/des.h>
| ^~~~~~~~~~~~~~
```
- fix MD4 support with nettle 4.
```
lib/md4.c:178:36: error: too many arguments to function call, expected 2, have 3
178 | md4_digest(ctx, MD4_DIGEST_SIZE, digest);
| ~~~~~~~~~~ ^~~~~~
```
- fix unused argument compiler warning:
```
lib/vtls/gtls.c:2267:39: error: unused parameter 'sha256len' [clang-diagnostic-unused-parameter,-warnings-as-errors]
2267 | size_t sha256len)
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970143?pr=21557
- GHA/macos: stop enabling NTLM in the GnuTLS job.
It no longer builds due to missing DES support in nettle 4.
```
lib/curl_ntlm_core.c:90:4: error: "cannot compile NTLM support without a crypto library with DES."
90 | # error "cannot compile NTLM support without a crypto library with DES."
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970170?pr=21557
Follow-up to cfadbaa133#21169Closes#21557
These macros are leftovers from when DNS caching was moved out of
hostip.c into its own source file. Both are still defined and used in
lib/dnscache.c; the copies in lib/hostip.c are unreferenced.
Detected with clang -Wunused-macros.
Follow-up to 96d5b5c688Closes#21550
This bit was used to do Digest authentication like Internet Explorer
before version 7 (released on October 18, 2006). Presumably no one uses
this anymore and since it is hard to use and does broken auth, starting
in 8.21.0 this bit does nothing (except setting the actual Digest bit).
Closes#21486
The code would previously read one byte past the provided
CURLOPT_CAINFO_BLOB if the blob ends exactly with -----BEGIN
CERTIFICATE-----
Reported-by: Andrew Nesbit
Closes#21543
- passing an unknown string to CURLOPT_ECH now returns error
To properly allow applications to spot if they pass in a typo or
something to libcurl.
- CURLECH_DISABLE is now a plain zero internally, not a dedicated bit which
simplifies checks for when ECH is enabled
- Dropped the CURLECH_CLA_CFG bit, and just check STRING_ECH_CONFIG
- Turn grease/enable/hard into three different numerical values, no bitmask
needed
- Convert the struct field 'tls_ech' from an int to a byte.
Closes#21532
The 'ber' pointer could remain allocated in the exit path if the write
callback returned error for one of the Curl_client_write() calls.
Reported-by: Andrew Nesbit
Closes#21530
When a connection is tested for reuse in a transfer that *may* upgrade
to TLS (commonly via STARTTLS), the SSL configuration must match the
existing connection.
Reported-by: Andrew Nesbit
Closes#21522
- rename `req->proxyuserpwd` to `req->hd_proxy_auth`
- rename `req->userpwd` to `req->hd_auth`
- rename parameter `proxytunnel` to `is_connect` for Curl_http_output_auth()
- move path+query concatenation into Curl_http_output_auth(), saving an alloc when no auth is in play
- rename `H1_HD_USER_AUTH` into `H1_HD_AUTH`
Closes#21513
The CURLOPT_SSH_HOST_PUBLIC_KEY_* options are documented to verify the
host at connect time and not for connection reuse. Once the SSH host has
been deemed okay, it remains okay as long as the connection survives.
In addition: this function currently always returned TRUE since the
pointers have been NULLed in the SSH backend code before this function
is called.
Follow-up to c31fcf2dec
Reported-by: Andrew Nesbit
Closes#21519
Unfortunately, mbedtls_pk_parse_key() requires the data to be
null-terminated if the data is PEM encoded (even when provided the exact
length), so this function needs to make a copy that has one.
Reported-by: Elise Vance
Closes#21515
Unix domain socket paths need to be compared case-senstive, in contrast
to DNS hostnames.
Follow-up to bc40e09f63
Pointed out by Codex Security
Closes#21511
`struct Curl_peer` keeps information about a communication endpoint
together. It will replace `conn->host` and `conn->conn_to_host` and
proxyinfo host. It will also become part of `struct ssl_peer`.
It has a reference counter, so an instance can be shared between
connections and filters.
Elminiates `conn->host` and `conn->connect_to_host`, used in the
proxyinfo structures. Passed to DNS resolution and socks filters, etc.
Pass peer to http proxy and socks tunnel filters. Use peer in dns filter
and resolving. Make `Curl_peer` a member in the `struct ssl_peer`.
Add `docs/internals/PEERS.md` for documentation.
Closes#21472
This allows the unit tests to have a prototype involving such a struct
pointer - even when the build is done without threaded resolver.
Follow-up to 117d50b4bfCloses#21503
