The GSS-API debug stub did not implement gss_inquire_context, so
the NTLM-detection logic in spnego_gssapi.c could not be exercised
without a real Kerberos environment.
Add stub_gss_inquire_context that returns the NTLMSSP OID when the
stub context is in NTLM mode and the Kerberos OID otherwise. Wrap it
behind Curl_gss_inquire_context so the stub is transparently
selected when CURL_STUB_GSS_CREDS is set.
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Add credential-based NTLM filtering for GSS-API SPNEGO. Acquire
explicit credentials, enumerate available mechanisms, filter out
the NTLMSSP OID, and apply via gss_set_neg_mechs(). Also verify
the negotiated mechanism after context establishment and reject
NTLM if disallowed.
Pass a cred_handle through Curl_gss_init_sec_context so SPNEGO
can use the restricted credentials.
Probe for gss_set_neg_mechs() availability (HAVE_GSS_SET_NEG_MECHS)
in configure and CMake.
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Use the SEC_WINNT_AUTH_IDENTITY_EX PackageList field to pass '!ntlm'
to the Negotiate SSP, preventing NTLM from being selected during
SPNEGO negotiation on Windows.
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Replace SEC_WINNT_AUTH_IDENTITY with SEC_WINNT_AUTH_IDENTITY_EX across all
SSPI authentication code. The extended structure adds Version, Length, and
PackageList fields while remaining backwards compatible with all SSPI
functions. Available since Windows XP.
Curl_create_sspi_identity now sets the Version and Length fields when
initializing the structure.
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
It's mostly a filler word. I've read through each use of it in the code
base and did minor rephrasings when "simply" carried some meaning. The
overwhelming majority of cases, removing it improved the text
significantly. Inspired by #20793.
Closes#20822
- 'badwords' is now a target in Makefile.am
- change badwords.txt to specify plain "words" instead of regexes so the
script can build single regexes when scanning, which makes the script
perform much faster (~6 times faster)
Closes#20869
scan-build has been dropped in favor of clang-tidy and this false
positive no longer triggers with it.
Follow-up to ce4db9c2ef#20751
Follow-up to 02f207a76bCloses#20860
After targeting Vista as minimum, the non-bcrypt fallback code was
impossible to reach, because on UWP wincrypt is never available.
After this patch it's more obvious that no-SSL UWP builds only support
weak random source.
Follow-up to b17ef873ae#18009Closes#20859
To avoid potential warning with autotools when using `CFLAGS`. Existing
jobs are not affected.
Also:
- drop a redundant `export`.
- ensure not to overwrite per-job options with UWP ones.
Closes#20857
Instead of the first internal call to `curlx_verify_windows_version()`.
To avoid the chance of a race, potentially resulting in initializing
this address twice. AFAICT it could not cause an issue before this
patch.
Reported by Codex Security
Follow-up to b17ef873ae#18009Closes#20853
The code actual init code remains identical after this patch. To make it
clearer where this initialization is called from, and to dedupe code.
Follow-up to b17ef873ae#18009Closes#20852
The 'id' struct field in 'struct h3_stream_ctx' is a uint64_t type so
should be output with PRIu64 - and it makes sense to be consistent.
Note that the field with the same name in the ngtcp2 version of this
struct is a *signed* 64-bit variable.
Reported by Codex Security
Closes#20849
As the SOCK_CLOEXEC and SOCK_NONBLOCK get ORed to the socktype, this
introduces the cf_socktype() function to use when checking for the
specific socket type: DGRAM or STREAM. The function filters off the
non-type related bits to enable the comparison.
Follow-up to 05367694ecCloses#20808
During conversion of `docs/FAQ` into Markdown, 'man ld' has incorrectly
kept one of its quotes when it was surrounded by backticks for inline
code formatting. A space on the left of it was lost as well.
Fix the formatting in the new `docs/FAQ.md`.
Closes#20812
If the first write was interrupted by a signal and a subsequent write
succeeds, the function would still erroneously return EINTR.
Found by Codex Security
Closes#20809
This fixes a regression and accidental changed behavior shipped in
8.18.0 (via 6b9c75e219).
When the setopt is set to "" and curl is built without support for a
single compression algorithm, it used to use "identity" but recently did
not.
Spotted by Codex Security
Closes#20805
