Add configure and CMake options to define CURL_DISABLE_NEGOTIATE_NTLM,
which gates the NTLM blocking logic in the SSPI and GSS-API SPNEGO
code paths behind a compile-time flag.
Add a 'SPNEGO-no-NTLM' feature string to curl --version output and
gate the SPNEGO NTLM blocking tests on the negotiate-ntlm-disabled
feature.
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
test2092 verifies that when only NTLM credentials are available and
CURL_DISABLE_NEGOTIATE_NTLM is active, SPNEGO auth is silently skipped
and the request is sent without an Authorization header.
test2093 verifies that Kerberos credentials still succeed when built
with CURL_DISABLE_NEGOTIATE_NTLM.
Both tests require the negotiate-ntlm-disabled feature, which is
reported by curl --version as "SPNEGO-no-NTLM" when the compile-time
option is active.
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
The GSS-API debug stub did not implement gss_inquire_context, so
the NTLM-detection logic in spnego_gssapi.c could not be exercised
without a real Kerberos environment.
Add stub_gss_inquire_context that returns the NTLMSSP OID when the
stub context is in NTLM mode and the Kerberos OID otherwise. Wrap it
behind Curl_gss_inquire_context so the stub is transparently
selected when CURL_STUB_GSS_CREDS is set.
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Add credential-based NTLM filtering for GSS-API SPNEGO. Acquire
explicit credentials, enumerate available mechanisms, filter out
the NTLMSSP OID, and apply via gss_set_neg_mechs(). Also verify
the negotiated mechanism after context establishment and reject
NTLM if disallowed.
Pass a cred_handle through Curl_gss_init_sec_context so SPNEGO
can use the restricted credentials.
Probe for gss_set_neg_mechs() availability (HAVE_GSS_SET_NEG_MECHS)
in configure and CMake.
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Use the SEC_WINNT_AUTH_IDENTITY_EX PackageList field to pass '!ntlm'
to the Negotiate SSP, preventing NTLM from being selected during
SPNEGO negotiation on Windows.
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
There is no reason we should treat this part different on Windows. Noe
anything except blank, localhost or 127.0.0.1 cause error there as well.
Also: fix query handling in urlencode_str
Closes#21296
- enable three checks:
- bugprone-invalid-enum-default-initialization
- bugprone-sizeof-expression
- readability-inconsistent-declaration-parameter-name (strict)
- fix remaining discrepancies with arg names in prototypes
and implementation, in strict mode.
- document reason for some checks tested but not enabled.
Closes#20794
- examples: sync debug output printf masks.
- INSTALL-CMAKE.md: tidy up section for some options.
- curl_sha512_256: delete comment suggesting an optimization.
- vtls/keylog: scope a variable.
- vtls/openssl: make a source code URL a permalink.
- vtls/schannel: drop redundant parentheses.
- test1119.pl: robustify `$1` -> `$s`.
- sync arg names in comments to match the code.
- tidy up and minor fixes to comments.
- fix formatting/indenting/comment/newline/include nits.
- move `UNITTEST` protos next to definitions, sync their argument names.
- make variables static.
- add parentheses to Perl `open()` calls.
- drop unnecessary double quotes in Perl.
- clang-format.
Closes#21000
When a user supplied an ip address in a URL as hostname, use that even
when address family restrictions like -4 or -6 are set.
Add test_10_15/16 to verify with a local proxy server.
Fixes#21146
Reported-by: Terrance Wong
How:
- cf-dns: on see the hostname is an ip(v6) address, add the respective
A/AAAA to the dns query bits
- cf-dns/hostip: only hand out addrinfos for a family if that family
is part of the DNS queries. That prevents for example ipv6 addresses
to show up from dns cache entries
- change cf-ip-happy to no longer check for "ip_version" and instead
use all addresses that cf-dns hands out
Closes#21295
Replace SEC_WINNT_AUTH_IDENTITY with SEC_WINNT_AUTH_IDENTITY_EX across all
SSPI authentication code. The extended structure adds Version, Length, and
PackageList fields while remaining backwards compatible with all SSPI
functions. Available since Windows XP.
Curl_create_sspi_identity now sets the Version and Length fields when
initializing the structure.
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Fix http auth to set the `picked` auth when sending the corresponding
headers. Fix reporting Digest as avail.
Fixes#21274
Reported-by: sergio-nsk on github
Closes#21284
Add `resolv-threaded` to curlinfo to detect use of the threaded resolver
correctly even with c-ares linked to https-rr.
Run test_21_05 exactly when threaded resolver is built.
Closes#21287
This should return a SSL_CTX pointer but it was accidentally broken.
Verify with test 1587
Follow-up to 2db8ae480f
Spotted by Codex Security
Closes#21290
- convert `#` comments to `dnl`, except copyright headers, and inline
comments in `curl-complilers.m4`.
- drop empty comments.
- drop line-ending `dnl` markers. (except `zz40-xc-ovr.m4` where it's
used to produce a comment in `configure`.)
- replace `dnl` line with C comment in `AC_CHECK_HEADERS()`.
Verified to produce the same `configure` script except empty lines,
`#` comments, and C comments, with autoreconf 2.72.
Cherry-picked from #21000Closes#21246
Run test_07_22 only on http/1.1 and h2. For h3, we get unreliable tests
results in CI due to (probably) nghttpx not always reporting the RESET
from the backend and the test timing out.
Closes#21286
... unless it is a POST and the user explicitly asked to keep doing
POST.
Add test1983/1984: verify --follow with 303 and PUT + custom GET
Fixes#20715
Reported-by: Dan Arnfield
Closes#21280
- By making retry_sleep() a separate funtion that determines how long to
wait until the next retry.
- switch the retry timer to uint32 to make it uniform across platforms
Closes#21279
Connection filters can now carry the flag CF_TYPE_SETUP, indicating that
they are only needed during connection setup, e.g. connect.
Once the connection is fully established, those filter are removed
again. This frees resources and also makes the filter (call) chains
shorter.
Closes#21269
When HTTPS-RR is needed for the HTTP/3 handshake, delay the connect
until it arrives. Relevant only for TLS backends that support ECH, for
now.
Closes#21253
To avoid (mis-)detecting it via the internal Apple library
`/usr/lib/system/libsystem_sim_kernel.dylib` when targeting iPhone
Simulator (seen with iPhoneSimulator26.4.sdk).
Reported-by: Ian Spence
Fixes#21236Closes#21271
Make cf-https-connect work async correctly:
- only start first baller when at least one A/AAAA address
is available
- select first connect attempt after that with HTTPS-RR info
there or not.
- select second connect attempt only when HTTPS-RR is resolved
(may have resolved to "not known") and select possible ALPN
from things known by then. May not select any second attempt
when first already covers everything.
This means when the HTTPS-RR is known at/before the first address
is resolved, everything behaves as before. When the HTTPS-RR is
late, a first connection attempt will have been started. Any
ALPN preference from the HTTPS-RR that is not already ongoing will
then start the second attempt.
For HTTPS-RRs that recommend 2 or more ALPNs, the first will always
be attempted: either it is already ongong or it will be the ALPN
for the second attempt. The 2nd ALPN recommendation from HTTPS-RR
*may* be honored or not, depending on what is already selected.
The difference in behaviour between early/late HTTPS-RR resolve
cannot be helped - unless we do not perform any attempts before
it arrives. Trade offs.
Closes#21267
Mostly, this means two blank lines between classes and functions and one
line between methods. Since these checks are currently in preview, they
are done in a separate ruff invocation to avoid turning ALL the preview
checks on at the same time.
- Checks for missing explicit `return` statements at the end of functions
that can return non-`None` values.
- Checks for classes that inherit from `object`.
- Checks for useless expressions.
- Within an `except*` clause, raise exceptions with `raise ... from err`
or `raise ... from None` to distinguish them from errors in exception
handling
- Checks for variable assignments that immediately precede a `return` of the
assigned variable.
- Checks for `else` statements with a `return` statement in the preceding
`if` block.
- Checks for unnecessary parentheses on raised exceptions.
Closes: #21258
