Commit fe0f8967bf fixed a problem with krb5 not being defined as a
supported feature when HAVE_GSSAPI is defined, however, it should
only be included if CURL_DISABLE_CRYPTO_AUTH is not set, like when
SPNEGO is listed as a feature.
By default, configure script assumes that libcurl will use the
HP-supplied GSS-API implementation which does not have krb5-config.
If a dev needs a more recent version which has that config script,
the change will allow to pass an appropriate GSSAPI_ROOT.
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
allows client and server to negotiate the underlying mechanism which will
actually be used to authenticate. This is *often* Kerberos, and can also
be NTLM and other things. And to complicate matters, there are various
different OIDs which can be used to specify the Kerberos mechanism too.
A SPNEGO exchange will identify *which* GSSAPI mechanism is being used,
and will exchange GSSAPI tokens which are appropriate for that mechanism.
But this SPNEGO implementation just strips the incoming SPNEGO packet
and extracts the token, if any. And completely discards the information
about *which* mechanism is being used. Then we *assume* it was Kerberos,
and feed the token into gss_init_sec_context() with the default
mechanism (GSS_S_NO_OID for the mech_type argument).
Furthermore... broken as this code is, it was never even *used* for input
tokens anyway, because higher layers of curl would just bail out if the
server actually said anything *back* to us in the negotiation. We assume
that we send a single token to the server, and it accepts it. If the server
wants to continue the exchange (as is required for NTLM and for SPNEGO
to do anything useful), then curl was broken anyway.
So the only bit which actually did anything was the bit in
Curl_output_negotiate(), which always generates an *initial* SPNEGO
token saying "Hey, I support only the Kerberos mechanism and this is its
token".
You could have done that by manually just prefixing the Kerberos token
with the appropriate bytes, if you weren't going to do any proper SPNEGO
handling. There's no need for the FBOpenSSL library at all.
The sane way to do SPNEGO is just to *ask* the GSSAPI library to do
SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context()
is for. And then it should all Just Work™.
That 'sane way' will be added in a subsequent patch, as will bug fixes
for our failure to handle any exchange other than a single outbound
token to the server which results in immediate success.
The old way using getpwuid could cause problems in programs that enable
reading from netrc files simultaneously in multiple threads.
Reported-by: David Woodhouse
When --with-nghttp2 was used (without a given path), the
PKG_CONFIG_LIBDIR varialbe could get clobbered and ruin a proper
detection of the library.
Reported-by: Dilyan Palauzov
Bug: http://curl.haxx.se/mail/lib-2014-04/0159.html
The issue is with HP-UX that is comes with HP flavor of MIT
Kerberos. This means that there is no krb5-config and the lib is called
libgss.so
Bug: http://curl.haxx.se/bug/view.cgi?id=1321
The ipv6 auto-detect test in configure returns a false negative when
CFLAGS contains -Werror=implicit-function-declaration. (I have been
using this flag to detect code issues that would result in SEGVs on
x86_64-cygwin.)
Patch-by: Yaakov Selkowitz
Bug: http://curl.haxx.se/bug/view.cgi?id=1304
We've announced this pending removal for a long time and we've
repeatedly asked if anyone would care or if anyone objects. Nobody has
objected. It has probably not even been working for a good while since
nobody has tested/used this code recently.
The stuff in krb4.h that was generic enough to be used by other sources
is now present in security.h
For libc variants without a spearate pthread lib (like bionic), try
using pthreads without the pthreads lib first and only if that fails try
the -lpthread linker flag.
Bug: http://curl.haxx.se/bug/view.cgi?id=1216
Reported by: Duncan
1 - We don't use the results from the test and we never did. recvfrom()
is only used by the TFTP code and it has not caused any problems.
2 - the CURL_CHECK_FUNC_RECVFROM function is extremely slow
This function was only used twice, both in places where performance
isn't crucial (socks + if2ip). Removing the use of this function removes
the need to have our private version for systems without it == reduced
amount of code.
Also, in the SOCKS case it is clearly better to fail gracefully rather
than to truncate the results.
This work was triggered by a bug report on the strcal prototype in
strequal.h.
strlcat was added in commit db70cd28 in February 2001!
Bug: http://curl.haxx.se/bug/view.cgi?id=1192
Reported by: Jeremy Huddleston
Some basic checks we make were placed early enough in generated
configure script when using autoconf 2.5X versions. Newer autoconf
versions expand these checks much further into the configure script,
rendering them useless. Using XC_CONFIGURE_PREAMBLE fixes placement
of early intended checks across all our autoconf supported versions.
Tested with:
buildconf: autoconf version 2.69
buildconf: autom4te version 2.69
buildconf: autoheader version 2.69
buildconf: automake version 1.13.1
buildconf: aclocal version 1.13.1
buildconf: libtool version 2.4
buildconf: GNU m4 version 1.4.16
I ran the 2.59 version of autoupdate that updates obsoleted configure.ac
constructs to the 2.59 standard. With a little hands-on fiddling I
prevented it from ruining the quoting in AS_HELP_STRING() uses.
I subsequently also bumped the required autoconf version to 2.59
(released in December 2003) as I don't have an older autoconf version
around to test with and I can't be bothered to install one either...
Inspired by: Björn Stenberg
Related blog post: http://cazfi.livejournal.com/195108.html
This reverts renaming and usage of lib/*.h header files done
28-12-2012, reverting 2 commits:
f871de0... build: make use of 76 lib/*.h renamed files
ffd8e12... build: rename 76 lib/*.h files
This also reverts removal of redundant include guard (redundant thanks
to changes in above commits) done 2-12-2013, reverting 1 commit:
c087374... curl_setup.h: remove redundant include guard
This also reverts renaming and usage of lib/*.c source files done
3-12-2013, reverting 3 commits:
13606bb... build: make use of 93 lib/*.c renamed files
5b6e792... build: rename 93 lib/*.c files
7d83dff... build: commit 13606bbfde follow-up 1
Start of related discussion thread:
http://curl.haxx.se/mail/lib-2013-01/0012.html
Asking for confirmation on pushing this revertion commit:
http://curl.haxx.se/mail/lib-2013-01/0048.html
Confirmation summary:
http://curl.haxx.se/mail/lib-2013-01/0079.html
NOTICE: The list of 2 files that have been modified by other
intermixed commits, while renamed, and also by at least one
of the 6 commits this one reverts follows below. These 2 files
will exhibit a hole in history unless git's '--follow' option
is used when viewing logs.
lib/curl_imap.h
lib/curl_smtp.h
automake 1.13 errors if AM_CONFIG_HEADER is used in configure script.
automake 1.13 no longer autoupdates AM_CONFIG_HEADER to
AC_CONFIG_HEADERS, thing which automake has been doing since automake
version 1.7
Given that our first automake supported version is automake 1.7,
simply replacing AM_CONFIG_HEADER usage with AC_CONFIG_HEADERS seems
enough to yet support same automake versions.
Dave Reisner reported issue with 1.13 and provided patch.
http://curl.haxx.se/mail/lib-2012-12/0246.html
BLANK_AT_MAKETIME may be used in our Makefile.am files to blank
LIBS variable used in generated makefile at makefile processing
time. Doing this functionally prevents LIBS from being used for
all link targets in given makefile.
AIX sys/poll.h header file defines 'events' and 'revents' as C
preprocessor macros. Usage of these literals in libcurl's external
API was introduced in commit de24d7bd4c causing AIX build failures.
Appropriate inclusion of sys/poll.h by libcurl's external interface
fixes AIX build and usage issues while avoiding a SONAME bump.
Removing this option as it currently only functions to lure people into
wrongly using it and falsely believing that libcurl will work fine
without using nonblocking sockets internally - which leads to hard to
track or understand errors.
This needs another look from the configure experts. I tested that
it works so far with MinGW64 cross-compiler; libcurl builds and
links fine, but curl not yet ...
Allow NTLM authentication when building using SecureTransport (Darwin) for SSL.
This uses CommonCrypto, a cryptography library that ships with all versions of
iOS and Mac OS X. It's like OpenSSL's libcrypto, except that it's missing a few
less-common cyphers and doesn't have a big number data structure.
This option may be used to build curl/libcurl using SSL/TLS support provided
by MS windows system libraries. Option is mutually exclusive with any other
SSL library. Default value is --without-winssl.
--with-winssl option implies --with-sspi option.
Option meaningful only for Windows builds.
Version number is removed in order to make this info consistent with
how we do it with other MS and Linux system libraries for which we don't
provide this info.
Identifier changed from 'WinSSPI' to 'schannel' given that this is the
actual provider of the SSL/TLS support. libcurl can still be built with
SSPI and without SCHANNEL support.
This change adds experimental Metalink support to curl.
To enable Metalink support, run configure with --with-libmetalink.
To feed Metalink file to curl, use --metalink option like this:
$ curl -O --metalink foo.metalink
We use libmetalink to parse Metalink files.
It checks whether versioned symbols should be enabled before checking
whether it is possible (i.e. the linker supports --version-script) or
not. This avoids a useless warning when building cURL on a platform that
does not use GNU ld.
Moreover, it fixes broken indentation of this chunk of code.
NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent
collisions on NSS initialization/shutdown with other libraries.
Bug: https://bugzilla.redhat.com/738456
configure script now provides conditional definitions for Makefile.am
that result in CURL_HIDDEN_SYMBOLS being defined by resulting makefiles
when appropriate.
Additionally, configure script option for symbol hiding control is now
named --enable-symbol-hiding --disable-symbol-hiding. While still valid,
old option name --enable-hidden-symbols --disable-hidden-symbols will
be deprecated in some future release.
BUILDING_LIBCURL and CURL_STATICLIB are no longer defined in curl_config.h,
configure will generate appropriate conditionals so that mentioned symbols
get defined and used in Makefiles at compilation time
Configuration files such as curl_config.h and all config-*.h no longer exist
nor are generated/copied into 'src' directory, now these only exist in 'lib'
directory from where curl tool sources uses them.
Additionally old src/setup.h has been refactored into src/tool_setup.h which
now pulls lib/setup.h
The possibility of a makefile needing an include path adjustment exists.
This allows building of libcurl on DOS using DJGPP 2.04 and Watt-32
sockets. I know there's already Makefile.djgpp, but I find this more
convenient since I'm used to using the ./configure script from other
platforms
Modify configure.ac to test for new CyaSSL Init function and remove
default install path to system. Change to CyaSSL OpenSSL header and
proper Init in code as well.
Note that this no longer detects or works with CyaSSL before v2
When support for nettle was added in 64f328c787, I overlooked
the fact that AC_CHECK_LIB doesn't add the tested lib to LIBS
if the check succeeded, if a custom success code block was present.
(The previous version of the check had an empty block for
successful checks, adding the lib to LIBS implicitly.)
Therefore, explicitly add either nettle or gcrypt to LIBS, after
deciding which one to use. Even if they can be linked in
transitively, it is safer to actually link explicitly to them.
This fixes building with gnutls with linkers that don't allow
linking transitively, such as for windows.