[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Nov 3 03:54:02 UTC 2023
The branch, master has been updated
via cfec96d5e9f third_party/heimdal: Import lorikeet-heimdal-202311030123 (commit 2346a67fe25cbf16128501665db41f6840546e15)
from 3ef68efca29 tests/krb5: Fix comments
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit cfec96d5e9fb2195f9e14e09bf66a68c969f4bbd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Nov 3 14:27:52 2023 +1300
third_party/heimdal: Import lorikeet-heimdal-202311030123 (commit 2346a67fe25cbf16128501665db41f6840546e15)
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Nov 3 03:53:08 UTC 2023 on atb-devel-224
-----------------------------------------------------------------------
Summary of changes:
third_party/heimdal/kdc/fast.c | 18 ++++--
third_party/heimdal/kdc/pkinit.c | 2 +-
third_party/heimdal/lib/hcrypto/bn.c | 4 +-
third_party/heimdal/lib/hcrypto/pkcs12.c | 4 +-
third_party/heimdal/lib/hdb/common.c | 1 -
third_party/heimdal/lib/hdb/hdb-ldap.c | 1 +
third_party/heimdal/lib/hx509/ca.c | 13 ++--
third_party/heimdal/lib/hx509/cms.c | 2 +-
third_party/heimdal/lib/hx509/hxtool.c | 2 +
third_party/heimdal/lib/hx509/ks_file.c | 2 +-
third_party/heimdal/lib/krb5/acache.c | 2 +
third_party/heimdal/lib/krb5/build_ap_req.c | 6 +-
third_party/heimdal/lib/krb5/context.c | 72 ++++++++++++++++------
third_party/heimdal/lib/krb5/kx509.c | 2 +-
third_party/heimdal/lib/krb5/pkinit.c | 4 +-
third_party/heimdal/lib/krb5/store.c | 2 +-
third_party/heimdal/lib/roken/base32.c | 16 ++---
.../heimdal/lib/wind/gen-punycode-examples.py | 8 +--
18 files changed, 108 insertions(+), 53 deletions(-)
Changeset truncated at 500 lines:
diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c
index 7b96371723e..bc77f74664c 100644
--- a/third_party/heimdal/kdc/fast.c
+++ b/third_party/heimdal/kdc/fast.c
@@ -406,8 +406,8 @@ _kdc_fast_mk_e_data(astgs_request_t r,
NULL,
error_client,
error_server,
- NULL,
- NULL,
+ csec,
+ cusec,
e_data);
if (ret) {
kdc_log(r->context, r->config, 1,
@@ -508,8 +508,8 @@ _kdc_fast_mk_error(astgs_request_t r,
error_client = NULL;
error_server = NULL;
}
- csec = 0;
- cusec = 0;
+ csec = NULL;
+ cusec = NULL;
}
ret = krb5_mk_error(r->context,
@@ -603,6 +603,9 @@ fast_unwrap_request(astgs_request_t r,
*
*/
if (fxreq.u.armored_data.armor != NULL) {
+ krb5uint32 kvno;
+ krb5uint32 *kvno_ptr = NULL;
+
if (fxreq.u.armored_data.armor->armor_type != 1) {
kdc_log(r->context, r->config, 4,
"Incorrect AS-REQ armor type");
@@ -628,9 +631,14 @@ fast_unwrap_request(astgs_request_t r,
goto out;
}
+ if (ap_req.ticket.enc_part.kvno != NULL) {
+ kvno = *ap_req.ticket.enc_part.kvno;
+ kvno_ptr = &kvno;
+ }
+
ret = _kdc_db_fetch(r->context, r->config, armor_server_principal,
HDB_F_GET_KRBTGT | HDB_F_DELAY_NEW_KEYS,
- (krb5uint32 *)ap_req.ticket.enc_part.kvno,
+ kvno_ptr,
&r->armor_serverdb, &r->armor_server);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
free_AP_REQ(&ap_req);
diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c
index d97ae227ae6..255441ce071 100644
--- a/third_party/heimdal/kdc/pkinit.c
+++ b/third_party/heimdal/kdc/pkinit.c
@@ -1078,9 +1078,9 @@ pk_mk_pa_reply_dh(krb5_context context,
unsigned char *p;
ret = _kdc_serialize_ecdh_key(context, cp->u.ecdh.key, &p,
&dh_info.subjectPublicKey.length);
- dh_info.subjectPublicKey.data = p;
if (ret)
goto out;
+ dh_info.subjectPublicKey.data = p;
} else
krb5_abortx(context, "no keyex selected ?");
diff --git a/third_party/heimdal/lib/hcrypto/bn.c b/third_party/heimdal/lib/hcrypto/bn.c
index 62297b145f1..9e9db4ec89a 100644
--- a/third_party/heimdal/lib/hcrypto/bn.c
+++ b/third_party/heimdal/lib/hcrypto/bn.c
@@ -235,7 +235,7 @@ static const unsigned char is_set[8] = { 1, 2, 4, 8, 16, 32, 64, 128 };
int
BN_is_bit_set(const BIGNUM *bn, int bit)
{
- heim_integer *hi = (heim_integer *)bn;
+ const heim_integer *hi = (const heim_integer *)bn;
unsigned char *p = hi->data;
if ((bit / 8) >= hi->length || hi->length == 0)
@@ -306,7 +306,7 @@ BN_set_word(BIGNUM *bn, unsigned long num)
unsigned long
BN_get_word(const BIGNUM *bn)
{
- heim_integer *hi = (heim_integer *)bn;
+ const heim_integer *hi = (const heim_integer *)bn;
unsigned long num = 0;
int i;
diff --git a/third_party/heimdal/lib/hcrypto/pkcs12.c b/third_party/heimdal/lib/hcrypto/pkcs12.c
index 5f0791feee3..29fc5243605 100644
--- a/third_party/heimdal/lib/hcrypto/pkcs12.c
+++ b/third_party/heimdal/lib/hcrypto/pkcs12.c
@@ -78,7 +78,7 @@ PKCS12_key_gen(const void *key, size_t keylen,
if (salt && saltlen > 0) {
for (i = 0; i < vlen; i++)
- I[i] = ((unsigned char*)salt)[i % saltlen];
+ I[i] = ((const unsigned char*)salt)[i % saltlen];
size_I += vlen;
}
/*
@@ -89,7 +89,7 @@ PKCS12_key_gen(const void *key, size_t keylen,
if (key) {
for (i = 0; i < vlen / 2; i++) {
I[(i * 2) + size_I] = 0;
- I[(i * 2) + size_I + 1] = ((unsigned char*)key)[i % (keylen + 1)];
+ I[(i * 2) + size_I + 1] = ((const unsigned char*)key)[i % (keylen + 1)];
}
size_I += vlen;
}
diff --git a/third_party/heimdal/lib/hdb/common.c b/third_party/heimdal/lib/hdb/common.c
index f86481dd9ea..3b8c7c5f7b6 100644
--- a/third_party/heimdal/lib/hdb/common.c
+++ b/third_party/heimdal/lib/hdb/common.c
@@ -1629,7 +1629,6 @@ fetch_it(krb5_context context,
/* Extra ':'s? No virtualization for you! */
free(host);
host = NULL;
- htmp = NULL;
} else {
*htmp = '\0';
}
diff --git a/third_party/heimdal/lib/hdb/hdb-ldap.c b/third_party/heimdal/lib/hdb/hdb-ldap.c
index 5cd097f5b6b..902426d1276 100644
--- a/third_party/heimdal/lib/hdb/hdb-ldap.c
+++ b/third_party/heimdal/lib/hdb/hdb-ldap.c
@@ -366,6 +366,7 @@ LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
if (ret)
return ret;
+ memset(&tm, 0, sizeof tm);
tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
if (tmp == NULL) {
free(gentime);
diff --git a/third_party/heimdal/lib/hx509/ca.c b/third_party/heimdal/lib/hx509/ca.c
index ee5d56af29c..02e256314d7 100644
--- a/third_party/heimdal/lib/hx509/ca.c
+++ b/third_party/heimdal/lib/hx509/ca.c
@@ -1187,8 +1187,7 @@ hx509_ca_tbs_add_san_permanentIdentifier_string(hx509_context context,
p = strchr(freeme, ':');
if (!p) {
hx509_set_error_string(context, 0, EINVAL,
- "Invalid PermanentIdentifier string (should be \"[<oid>]:[<id>]\")",
- oidstr);
+ "Invalid PermanentIdentifier string (should be \"[<oid>]:[<id>]\")");
free(freeme);
return EINVAL;
}
@@ -1297,8 +1296,7 @@ hx509_ca_tbs_add_san_hardwareModuleName_string(hx509_context context,
if (!p) {
hx509_set_error_string(context, 0, EINVAL,
"Invalid HardwareModuleName string (should be "
- "\"<oid>:<serial>\")",
- oidstr);
+ "\"<oid>:<serial>\")");
free(freeme);
return EINVAL;
}
@@ -1735,7 +1733,12 @@ ca_sign(hx509_context context,
hx509_set_error_string(context, 0, ret, "Out of memory");
goto out;
}
- RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length);
+ ret = RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length);
+ if (ret != 1) {
+ ret = HX509_CRYPTO_INTERNAL_ERROR;
+ hx509_set_error_string(context, 0, ret, "Failed to generate random bytes");
+ goto out;
+ }
((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f;
((unsigned char *)tbsc->serialNumber.data)[0] |= 0x40;
}
diff --git a/third_party/heimdal/lib/hx509/cms.c b/third_party/heimdal/lib/hx509/cms.c
index 6bf972ce492..8615f03ee81 100644
--- a/third_party/heimdal/lib/hx509/cms.c
+++ b/third_party/heimdal/lib/hx509/cms.c
@@ -938,7 +938,7 @@ hx509_cms_verify_signed_ext(hx509_context context,
if (signer_info->signature.length == 0) {
ret = HX509_CMS_MISSING_SIGNER_DATA;
hx509_set_error_string(context, 0, ret,
- "SignerInfo %d in SignedData "
+ "SignerInfo %zu in SignedData "
"missing sigature", i);
continue;
}
diff --git a/third_party/heimdal/lib/hx509/hxtool.c b/third_party/heimdal/lib/hx509/hxtool.c
index 9dbb5ccb197..f61187163c3 100644
--- a/third_party/heimdal/lib/hx509/hxtool.c
+++ b/third_party/heimdal/lib/hx509/hxtool.c
@@ -2902,9 +2902,11 @@ ptime(const char *s)
char *rest;
int at_s;
+ memset(&at_tm, 0, sizeof at_tm);
if ((rest = strptime(s, "%Y-%m-%dT%H:%M:%S", &at_tm)) != NULL &&
rest[0] == '\0')
return mktime(&at_tm);
+ memset(&at_tm, 0, sizeof at_tm);
if ((rest = strptime(s, "%Y%m%d%H%M%S", &at_tm)) != NULL && rest[0] == '\0')
return mktime(&at_tm);
if ((at_s = parse_time(s, "s")) != -1)
diff --git a/third_party/heimdal/lib/hx509/ks_file.c b/third_party/heimdal/lib/hx509/ks_file.c
index 6d8c77bd240..35796adb739 100644
--- a/third_party/heimdal/lib/hx509/ks_file.c
+++ b/third_party/heimdal/lib/hx509/ks_file.c
@@ -197,7 +197,7 @@ parse_pem_private_key(hx509_context context, const char *fn, int flags,
if (strcmp(enc, "4,ENCRYPTED") != 0) {
hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
"Private key encrypted in unknown method %s "
- "in file",
+ "in file %s",
enc, fn);
hx509_clear_error_string(context);
return HX509_PARSING_KEY_FAILED;
diff --git a/third_party/heimdal/lib/krb5/acache.c b/third_party/heimdal/lib/krb5/acache.c
index 63d56c400bf..72403d7b38a 100644
--- a/third_party/heimdal/lib/krb5/acache.c
+++ b/third_party/heimdal/lib/krb5/acache.c
@@ -88,7 +88,9 @@ static krb5_error_code
init_ccapi(krb5_context context)
{
const char *lib = NULL;
+#ifdef HAVE_DLOPEN
char *explib = NULL;
+#endif
HEIMDAL_MUTEX_lock(&acc_mutex);
if (init_func) {
diff --git a/third_party/heimdal/lib/krb5/build_ap_req.c b/third_party/heimdal/lib/krb5/build_ap_req.c
index 01019520514..cb6f60d4a1f 100644
--- a/third_party/heimdal/lib/krb5/build_ap_req.c
+++ b/third_party/heimdal/lib/krb5/build_ap_req.c
@@ -51,7 +51,11 @@ krb5_build_ap_req (krb5_context context,
ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0;
ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0;
- decode_Ticket(cred->ticket.data, cred->ticket.length, &ap.ticket, &len);
+ ret = decode_Ticket(cred->ticket.data, cred->ticket.length, &ap.ticket, &len);
+ if (ret)
+ return ret;
+ if (cred->ticket.length != len)
+ krb5_abortx(context, "internal error in ASN.1 encoder");
ap.authenticator.etype = enctype;
ap.authenticator.kvno = NULL;
ap.authenticator.cipher = authenticator;
diff --git a/third_party/heimdal/lib/krb5/context.c b/third_party/heimdal/lib/krb5/context.c
index 19548d4130d..9d03a80afe2 100644
--- a/third_party/heimdal/lib/krb5/context.c
+++ b/third_party/heimdal/lib/krb5/context.c
@@ -284,29 +284,47 @@ init_context_from_config_file(krb5_context context)
static krb5_error_code
cc_ops_register(krb5_context context)
{
+ krb5_error_code ret;
+
context->cc_ops = NULL;
context->num_cc_ops = 0;
#ifndef KCM_IS_API_CACHE
- krb5_cc_register(context, &krb5_acc_ops, TRUE);
+ ret = krb5_cc_register(context, &krb5_acc_ops, TRUE);
+ if (ret)
+ return ret;
#endif
- krb5_cc_register(context, &krb5_fcc_ops, TRUE);
- krb5_cc_register(context, &krb5_dcc_ops, TRUE);
- krb5_cc_register(context, &krb5_mcc_ops, TRUE);
+ ret = krb5_cc_register(context, &krb5_fcc_ops, TRUE);
+ if (ret)
+ return ret;
+ ret = krb5_cc_register(context, &krb5_dcc_ops, TRUE);
+ if (ret)
+ return ret;
+ ret = krb5_cc_register(context, &krb5_mcc_ops, TRUE);
+ if (ret)
+ return ret;
#ifdef HAVE_SCC
- krb5_cc_register(context, &krb5_scc_ops, TRUE);
+ ret = krb5_cc_register(context, &krb5_scc_ops, TRUE);
+ if (ret)
+ return ret;
#endif
#ifdef HAVE_KCM
#ifdef KCM_IS_API_CACHE
- krb5_cc_register(context, &krb5_akcm_ops, TRUE);
+ ret = krb5_cc_register(context, &krb5_akcm_ops, TRUE);
+ if (ret)
+ return ret;
#endif
- krb5_cc_register(context, &krb5_kcm_ops, TRUE);
+ ret = krb5_cc_register(context, &krb5_kcm_ops, TRUE);
+ if (ret)
+ return ret;
#endif
#if defined(HAVE_KEYUTILS_H)
- krb5_cc_register(context, &krb5_krcc_ops, TRUE);
+ ret = krb5_cc_register(context, &krb5_krcc_ops, TRUE);
+ if (ret)
+ return ret;
#endif
- _krb5_load_ccache_plugins(context);
- return 0;
+ ret = _krb5_load_ccache_plugins(context);
+ return ret;
}
static krb5_error_code
@@ -338,18 +356,30 @@ cc_ops_copy(krb5_context context, const krb5_context src_context)
static krb5_error_code
kt_ops_register(krb5_context context)
{
+ krb5_error_code ret;
+
context->num_kt_types = 0;
context->kt_types = NULL;
- krb5_kt_register (context, &krb5_fkt_ops);
- krb5_kt_register (context, &krb5_wrfkt_ops);
- krb5_kt_register (context, &krb5_javakt_ops);
- krb5_kt_register (context, &krb5_mkt_ops);
+ ret = krb5_kt_register (context, &krb5_fkt_ops);
+ if (ret)
+ return ret;
+ ret = krb5_kt_register (context, &krb5_wrfkt_ops);
+ if (ret)
+ return ret;
+ ret = krb5_kt_register (context, &krb5_javakt_ops);
+ if (ret)
+ return ret;
+ ret = krb5_kt_register (context, &krb5_mkt_ops);
+ if (ret)
+ return ret;
#ifndef HEIMDAL_SMALLER
- krb5_kt_register (context, &krb5_akf_ops);
+ ret = krb5_kt_register (context, &krb5_akf_ops);
+ if (ret)
+ return ret;
#endif
- krb5_kt_register (context, &krb5_any_ops);
- return 0;
+ ret = krb5_kt_register (context, &krb5_any_ops);
+ return ret;
}
static krb5_error_code
@@ -476,8 +506,12 @@ krb5_init_context(krb5_context *context)
/* init error tables */
_krb5_init_ets(p);
- cc_ops_register(p);
- kt_ops_register(p);
+ ret = cc_ops_register(p);
+ if (ret)
+ goto out;
+ ret = kt_ops_register(p);
+ if (ret)
+ goto out;
#ifdef PKINIT
ret = hx509_context_init(&p->hx509ctx);
diff --git a/third_party/heimdal/lib/krb5/kx509.c b/third_party/heimdal/lib/krb5/kx509.c
index 7525739f66c..3bacdf10db0 100644
--- a/third_party/heimdal/lib/krb5/kx509.c
+++ b/third_party/heimdal/lib/krb5/kx509.c
@@ -1033,7 +1033,7 @@ rd_kx509_resp(krb5_context context,
code = 0; /* No error */
} else if (r.error_code < 0) {
code = KRB5KRB_ERR_GENERIC; /* ??? */
- } else if (r.error_code <= KX509_ERR_SRV_OVERLOADED) {
+ } else if (r.error_code <= KX509_ERR_SRV_OVERLOADED - ERROR_TABLE_BASE_kx59) {
/*
* RFC6717 (kx509) error code. These are actually not used on the
* wire in any existing implementations that we are aware of. Just
diff --git a/third_party/heimdal/lib/krb5/pkinit.c b/third_party/heimdal/lib/krb5/pkinit.c
index e3707e203a4..0fcaf640955 100644
--- a/third_party/heimdal/lib/krb5/pkinit.c
+++ b/third_party/heimdal/lib/krb5/pkinit.c
@@ -448,7 +448,9 @@ build_auth_pack(krb5_context context,
krb5_clear_error_message(context);
return ret;
}
- RAND_bytes(a->clientDHNonce->data, a->clientDHNonce->length);
+ ret = RAND_bytes(a->clientDHNonce->data, a->clientDHNonce->length);
+ if (ret != 1)
+ return KRB5_CRYPTO_INTERNAL;
ret = krb5_copy_data(context, a->clientDHNonce,
&ctx->clientDHNonce);
if (ret)
diff --git a/third_party/heimdal/lib/krb5/store.c b/third_party/heimdal/lib/krb5/store.c
index f95fd83aa95..e98dd4b9674 100644
--- a/third_party/heimdal/lib/krb5/store.c
+++ b/third_party/heimdal/lib/krb5/store.c
@@ -968,7 +968,7 @@ krb5_ret_data(krb5_storage *sp,
bytes = sp->fetch(sp, data->data, size);
if (bytes < 0 || bytes != size) {
krb5_data_free(data);
- return (ret < 0)? errno : sp->eof_code;
+ return (bytes < 0)? errno : sp->eof_code;
}
}
return 0;
diff --git a/third_party/heimdal/lib/roken/base32.c b/third_party/heimdal/lib/roken/base32.c
index 1a275321644..9eb999a871a 100644
--- a/third_party/heimdal/lib/roken/base32.c
+++ b/third_party/heimdal/lib/roken/base32.c
@@ -91,14 +91,14 @@ rk_base32_encode(const void *data, int size, char **str, enum rk_base32_flags fl
if (i < size)
c += q[i];
i++;
- p[0] = chars[(c & 0x00000000f800000000ULL) >> 35];
- p[1] = chars[(c & 0x0000000007c0000000ULL) >> 30];
- p[2] = chars[(c & 0x00000000003e000000ULL) >> 25];
- p[3] = chars[(c & 0x000000000001f00000ULL) >> 20];
- p[4] = chars[(c & 0x0000000000000f8000ULL) >> 15];
- p[5] = chars[(c & 0x000000000000007c00ULL) >> 10];
- p[6] = chars[(c & 0x0000000000000003e0ULL) >> 5];
- p[7] = chars[(c & 0x00000000000000001fULL) >> 0];
+ p[0] = chars[(c & 0x000000f800000000ULL) >> 35];
+ p[1] = chars[(c & 0x00000007c0000000ULL) >> 30];
+ p[2] = chars[(c & 0x000000003e000000ULL) >> 25];
+ p[3] = chars[(c & 0x0000000001f00000ULL) >> 20];
+ p[4] = chars[(c & 0x00000000000f8000ULL) >> 15];
+ p[5] = chars[(c & 0x0000000000007c00ULL) >> 10];
+ p[6] = chars[(c & 0x00000000000003e0ULL) >> 5];
+ p[7] = chars[(c & 0x000000000000001fULL) >> 0];
switch (i - size) {
case 4: p[2] = p[3] = '='; HEIM_FALLTHROUGH;
case 3: p[4] = '='; HEIM_FALLTHROUGH;
diff --git a/third_party/heimdal/lib/wind/gen-punycode-examples.py b/third_party/heimdal/lib/wind/gen-punycode-examples.py
index 0896f99d77d..8e47e569810 100644
--- a/third_party/heimdal/lib/wind/gen-punycode-examples.py
+++ b/third_party/heimdal/lib/wind/gen-punycode-examples.py
@@ -61,10 +61,10 @@ while True:
l2 = re.sub('^ *', '', l2)
l = l[:-2] + l2
if start:
- if re.match('7\.2', l):
+ if re.match(r'7\.2', l):
start = False
else:
- m = re.search('^ *\([A-Z]\) *(.*)$', l);
+ m = re.search(r'^ *\([A-Z]\) *(.*)$', l);
if m:
desc = m.group(1)
codes = []
@@ -77,7 +77,7 @@ while True:
if m:
cases.append([codes, m.group(1), desc])
else:
- if re.match('^7\.1', l):
+ if re.match(r'^7\.1', l):
start = True
cases = []
@@ -114,7 +114,7 @@ for x in cases:
examples_c.file.write(
" {%u, {%s}, \"%s\", \"%s\"},\n" %
(len(cp),
- ",".join([re.sub('[uU]\+', '0x', x) for x in cp]),
+ ",".join([re.sub(r'[uU]\+', '0x', x) for x in cp]),
pc,
desc))
--
Samba Shared Repository
More information about the samba-cvs
mailing list