Change #247494
| Category | curl |
| Changed by | Devdatta Talele <devtalele0@gmail.com> |
| Changed at | Mon 03 Nov 2025 18:16:54 |
| Repository | https://github.com/curl/curl.git |
| Project | curl |
| Branch | master |
| Revision | 8616e5aada9c78fb611c60d913c999c8e78c14ba |
Comments
gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG Fixes #19109 - GSSAPI authentication fails on macOS with Apple's Heimdal implementation which lacks GSS_C_CHANNEL_BOUND_FLAG support for TLS channel binding. Commit 0a5ea09a910e introduced TLS channel binding for SPNEGO/GSSAPI authentication unconditionally, but Apple's Heimdal fork (used on macOS) does not support this feature, causing "unsupported mechanism" errors when authenticating to corporate HTTP services with Kerberos. Solution: - Add CURL_GSSAPI_HAS_CHANNEL_BINDING detection in curl_gssapi.h based on GSS_C_CHANNEL_BOUND_FLAG presence (MIT Kerberos >= 1.19) - Make negotiatedata.channel_binding_data field conditional in vauth.h - Guard channel binding collection/cleanup in http_negotiate.c - Guard channel binding usage in spnego_gssapi.c This follows the same pattern as GSS_C_DELEG_POLICY_FLAG detection and ensures graceful degradation when channel binding is unavailable while maintaining full support for implementations that have it. Changes: - lib/curl_gssapi.h: Add feature detection macro - lib/vauth/vauth.h: Make struct field conditional - lib/http_negotiate.c: Conditional init/cleanup (2 locations) - lib/vauth/spnego_gssapi.c: Conditional channel binding usage Tested on macOS with Apple Heimdal (no channel binding) and Linux with MIT Kerberos (with channel binding). Both configurations authenticate successfully without errors. Closes #19164
Changed files
- lib/curl_gssapi.h
- lib/http_negotiate.c
- lib/vauth/spnego_gssapi.c
- lib/vauth/vauth.h