Projects
Mega:24.09
krb5
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:krb5.spec
Changed
@@ -3,7 +3,7 @@ Name: krb5 Version: 1.21.2 -Release: 5 +Release: 8 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -32,6 +32,12 @@ Patch9: backport-Remove-klist-s-defname-global-variable.patch Patch10: backport-Fix-two-unlikely-memory-leaks.patch Patch11: backport-Allow-modifications-of-empty-profiles.patch +Patch12: fix-leak-in-KDC-NDR-encoding.patch +Patch13: backport-Fix-more-non-prototype-functions.patch +Patch14: backport-Fix-Python-regexp-literals.patch +Patch15: backport-Handle-empty-initial-buffer-in-IAKERB-initiator.patch +Patch16: backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch +Patch17: backport-Change-krb5_get_credentials-endtime-behavior.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -330,6 +336,15 @@ %{_mandir}/man8/* %changelog +* Tue Jul 23 2024 zhangxingrong <zhangxingrong@uniontech.cn> - 1.21.2-8 +- Change krb5_get_credentials() endtime behavior + +* Thu Jul 4 2024 xuraoqing <xuraoqing@huawei.com> - 1.21.2-7 +- backport patches to fix bugs and CVE-2024-37370 CVE-2024-37371 + +* Thu Jun 27 2024 yanshuai <yanshuai@kylinos.cn> - 1.21.2-6 +- Fix leak in KDC NDR encoding + * Tue Jun 18 2024 gengqihu <gengqihu2@h-partners.com> - 1.21.2-5 - backport patches from upstream
View file
_service:tar_scm:backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch
Added
@@ -0,0 +1,536 @@ +From b0a2f8a5365f2eec3e27d78907de9f9d2c80505a Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 14 Jun 2024 10:56:12 -0400 +Subject: PATCH Fix vulnerabilities in GSS message token handling + +In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(), +verify the Extra Count field of CFX wrap tokens against the encrypted +header. Reported by Jacob Champion. + +In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext +length too short to contain the encrypted header and extra count +bytes. Reported by Jacob Champion. + +In kg_unseal_iov_token(), separately track the header IOV length and +complete token length when parsing the token's ASN.1 wrapper. This +fix contains modified versions of functions from k5-der.h and +util_token.c; this duplication will be cleaned up in a future commit. + +CVE-2024-37370: + +In MIT krb5 release 1.3 and later, an attacker can modify the +plaintext Extra Count field of a confidential GSS krb5 wrap token, +causing the unwrapped token to appear truncated to the application. + +CVE-2024-37371: + +In MIT krb5 release 1.3 and later, an attacker can cause invalid +memory reads by sending message tokens with invalid length fields. + +ticket: 9128 (new) +tags: pullup +target_version: 1.21-next + +Reference: https://github.com/krb5/krb5/commit/b0a2f8a5365f2eec3e27d78907de9f9d2c80505a +Conflict: src/tests/gssapi/t_invalid.c + +--- + src/lib/gssapi/krb5/k5sealv3.c | 5 + + src/lib/gssapi/krb5/k5sealv3iov.c | 3 +- + src/lib/gssapi/krb5/k5unsealiov.c | 80 +++++++++- + src/tests/gssapi/t_invalid.c | 233 +++++++++++++++++++++++++----- + 4 files changed, 275 insertions(+), 46 deletions(-) + +diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c +index e881eee..d3210c1 100644 +--- a/src/lib/gssapi/krb5/k5sealv3.c ++++ b/src/lib/gssapi/krb5/k5sealv3.c +@@ -400,10 +400,15 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, + /* Don't use bodysize here! Use the fact that + cipher.ciphertext.length has been adjusted to the + correct length. */ ++ if (plain.length < 16 + ec) { ++ free(plain.data); ++ goto defective; ++ } + althdr = (unsigned char *)plain.data + plain.length - 16; + if (load_16_be(althdr) != KG2_TOK_WRAP_MSG + || althdr2 != ptr2 + || althdr3 != ptr3 ++ || load_16_be(althdr+4) != ec + || memcmp(althdr+8, ptr+8, 8)) { + free(plain.data); + goto defective; +diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c +index 333ee12..f8e90c3 100644 +--- a/src/lib/gssapi/krb5/k5sealv3iov.c ++++ b/src/lib/gssapi/krb5/k5sealv3iov.c +@@ -402,9 +402,10 @@ gss_krb5int_unseal_v3_iov(krb5_context context, + if (load_16_be(althdr) != KG2_TOK_WRAP_MSG + || althdr2 != ptr2 + || althdr3 != ptr3 ++ || load_16_be(althdr + 4) != ec + || memcmp(althdr + 8, ptr + 8, 8) != 0) { + *minor_status = 0; +- return GSS_S_BAD_SIG; ++ return GSS_S_DEFECTIVE_TOKEN; + } + } else { + /* Verify checksum: note EC is checksum size here, not padding */ +diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c +index 3ce2a90..6a6585d 100644 +--- a/src/lib/gssapi/krb5/k5unsealiov.c ++++ b/src/lib/gssapi/krb5/k5unsealiov.c +@@ -25,6 +25,7 @@ + */ + + #include "k5-int.h" ++#include "k5-der.h" + #include "gssapiP_krb5.h" + + static OM_uint32 +@@ -247,6 +248,73 @@ cleanup: + return retval; + } + ++/* Similar to k5_der_get_value(), but output an unchecked content length ++ * instead of a k5input containing the contents. */ ++static inline bool ++get_der_tag(struct k5input *in, uint8_t idbyte, size_t *len_out) ++{ ++ uint8_t lenbyte, i; ++ size_t len; ++ ++ /* Do nothing if in is empty or the next byte doesn't match idbyte. */ ++ if (in->status || in->len == 0 || *in->ptr != idbyte) ++ return false; ++ ++ /* Advance past the identifier byte and decode the length. */ ++ (void)k5_input_get_byte(in); ++ lenbyte = k5_input_get_byte(in); ++ if (lenbyte < 128) { ++ len = lenbyte; ++ } else { ++ len = 0; ++ for (i = 0; i < (lenbyte & 0x7F); i++) { ++ if (len > (SIZE_MAX >> 8)) { ++ k5_input_set_status(in, EOVERFLOW); ++ return false; ++ } ++ len = (len << 8) | k5_input_get_byte(in); ++ } ++ } ++ ++ if (in->status) ++ return false; ++ ++ *len_out = len; ++ return true; ++} ++ ++/* ++ * Similar to g_verify_token_header() without toktype or flags, but do not read ++ * more than *header_len bytes of ASN.1 wrapper, and on output set *header_len ++ * to the remaining number of header bytes. Verify the outer DER tag's length ++ * against token_len, which may be larger (but not smaller) than *header_len. ++ */ ++static gss_int32 ++verify_detached_wrapper(const gss_OID_desc *mech, size_t *header_len, ++ uint8_t **header_in, size_t token_len) ++{ ++ struct k5input in, mech_der; ++ gss_OID_desc toid; ++ size_t len; ++ ++ k5_input_init(&in, *header_in, *header_len); ++ ++ if (get_der_tag(&in, 0x60, &len)) { ++ if (len != token_len - (in.ptr - *header_in)) ++ return G_BAD_TOK_HEADER; ++ if (!k5_der_get_value(&in, 0x06, &mech_der)) ++ return G_BAD_TOK_HEADER; ++ toid.elements = (uint8_t *)mech_der.ptr; ++ toid.length = mech_der.len; ++ if (!g_OID_equal(&toid, mech)) ++ return G_WRONG_MECH; ++ } ++ ++ *header_in = (uint8_t *)in.ptr; ++ *header_len = in.len; ++ return 0; ++} ++ + /* + * Caller must provide TOKEN | DATA | PADDING | TRAILER, except + * for DCE in which case it can just provide TOKEN | DATA (must +@@ -267,8 +335,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status, + gss_iov_buffer_t header; + gss_iov_buffer_t padding; + gss_iov_buffer_t trailer; +- size_t input_length; +- unsigned int bodysize; ++ size_t input_length, hlen; + int toktype2; + + header = kg_locate_header_iov(iov, iov_count, toktype); +@@ -298,15 +365,14 @@ kg_unseal_iov_token(OM_uint32 *minor_status, + input_length += trailer->buffer.length; + } + +- code = g_verify_token_header(ctx->mech_used, +- &bodysize, &ptr, -1, +- input_length, 0); ++ hlen = header->buffer.length; ++ code = verify_detached_wrapper(ctx->mech_used, &hlen, &ptr, input_length); + if (code != 0) { + *minor_status = code; + return GSS_S_DEFECTIVE_TOKEN; + } + +- if (bodysize < 2) { ++ if (hlen < 2) { + *minor_status = (OM_uint32)G_BAD_TOK_HEADER; + return GSS_S_DEFECTIVE_TOKEN; + } +@@ -314,7 +380,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status, + toktype2 = load_16_be(ptr); + + ptr += 2; +- bodysize -= 2; ++ hlen -= 2; + + switch (toktype2) { + case KG2_TOK_MIC_MSG: +diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c +index fb8fe55..d1f019f 100644 +--- a/src/tests/gssapi/t_invalid.c ++++ b/src/tests/gssapi/t_invalid.c +@@ -36,31 +36,41 @@ + * + * 1. A pre-CFX wrap or MIC token processed with a CFX-only context causes a + * null pointer dereference. (The token must use SEAL_ALG_NONE or it will +- * be rejected.) ++ * be rejected.) This vulnerability also applies to IOV unwrap. + * +- * 2. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1 ++ * 2. A CFX wrap token with a different value of EC between the plaintext and ++ * encrypted copies will be erroneously accepted, which allows a message ++ * truncation attack. This vulnerability also applies to IOV unwrap. ++ * ++ * 3. A CFX wrap token with a plaintext length fewer than 16 bytes causes an ++ * access before the beginning of the input buffer, possibly leading to a ++ * crash. ++ * ++ * 4. A CFX wrap token with a plaintext EC value greater than the plaintext ++ * length - 16 causes an integer underflow when computing the result length, ++ * likely causing a crash. ++ * ++ * 5. An IOV unwrap operation will overrun the header buffer if an ASN.1 ++ * wrapper longer than the header buffer is present. ++ * ++ * 6. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1 + * header causes an input buffer overrun, usually leading to either a segv + * or a GSS_S_DEFECTIVE_TOKEN error due to garbage algorithm, filler, or +- * sequence number values. ++ * sequence number values. This vulnerability also applies to IOV unwrap. + * +- * 3. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1 ++ * 7. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1 + * header causes an integer underflow when computing the ciphertext length, + * leading to an allocation error on 32-bit platforms or a segv on 64-bit + * platforms. A pre-CFX MIC token of this size causes an input buffer + * overrun when comparing the checksum, perhaps leading to a segv. + * +- * 4. A pre-CFX wrap token with fewer than conflen + padlen bytes in the ++ * 8. A pre-CFX wrap token with fewer than conflen + padlen bytes in the + * ciphertext (where padlen is the last byte of the decrypted ciphertext) + * causes an integer underflow when computing the original message length, + * leading to an allocation error. + * +- * 5. In the mechglue, truncated encapsulation in the initial context token can ++ * 9. In the mechglue, truncated encapsulation in the initial context token can + * cause input buffer overruns in gss_accept_sec_context(). +- * +- * Vulnerabilities #1 and #2 also apply to IOV unwrap, although tokens with +- * fewer than 16 bytes after the ASN.1 header will be rejected. +- * Vulnerabilities #2 and #5 can only be robustly detected using a +- * memory-checking environment such as valgrind. + */ + + #include "k5-int.h" +@@ -98,16 +108,24 @@ struct test { + }; + + /* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key. */ ++static void * ++ealloc(size_t len) ++{ ++ void *ptr = calloc(len, 1); ++ ++ if (ptr == NULL) ++ abort(); ++ return ptr; ++} ++ ++/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key. ++ * The context takes ownership of subkey. */ + static gss_ctx_id_t +-make_fake_cfx_context() ++make_fake_cfx_context(krb5_key subkey) + { + gss_union_ctx_id_t uctx; + krb5_gss_ctx_id_t kgctx; +- krb5_keyblock kb; +- +- kgctx = calloc(1, sizeof(*kgctx)); +- if (kgctx == NULL) +- abort(); ++ kgctx = ealloc(sizeof(*kgctx)); + kgctx->established = 1; + kgctx->proto = 1; + if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0) +@@ -116,15 +134,10 @@ make_fake_cfx_context() + kgctx->sealalg = -1; + kgctx->signalg = -1; + +- kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96; +- kb.length = 16; +- kb.contents = (unsigned char *)"1234567887654321"; +- if (krb5_k_create_key(NULL, &kb, &kgctx->subkey) != 0) +- abort(); ++ kgctx->subkey = subkey; ++ kgctx->cksumtype = CKSUMTYPE_HMAC_SHA1_96_AES128; + +- uctx = calloc(1, sizeof(*uctx)); +- if (uctx == NULL) +- abort(); ++ uctx = ealloc(sizeof(*uctx)); + uctx->mech_type = &mech_krb5; + uctx->internal_ctx_id = (gss_ctx_id_t)kgctx; + return (gss_ctx_id_t)uctx; +@@ -138,9 +151,7 @@ make_fake_context(const struct test *test) + krb5_gss_ctx_id_t kgctx; + krb5_keyblock kb; + +- kgctx = calloc(1, sizeof(*kgctx)); +- if (kgctx == NULL) +- abort(); ++ kgctx = ealloc(sizeof(*kgctx)); + kgctx->established = 1; + if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0) + abort(); +@@ -162,9 +173,7 @@ make_fake_context(const struct test *test) + if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0) + abort(); + +- uctx = calloc(1, sizeof(*uctx)); +- if (uctx == NULL) +- abort(); ++ uctx = ealloc(sizeof(*uctx)); + uctx->mech_type = &mech_krb5; + uctx->internal_ctx_id = (gss_ctx_id_t)kgctx; + return (gss_ctx_id_t)uctx; +@@ -194,9 +203,7 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out) + + assert(mech_krb5.length == 9); + assert(len + 11 < 128); +- wrapped = malloc(len + 13); +- if (wrapped == NULL) +- abort(); ++ wrapped = ealloc(len + 13); + wrapped0 = 0x60; + wrapped1 = len + 11; + wrapped2 = 0x06; +@@ -207,6 +214,18 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out) + out->value = wrapped; + } + ++/* Create a 16-byte header for a CFX confidential wrap token to be processed by ++ * the fake CFX context. */ ++static void ++write_cfx_header(uint16_t ec, uint8_t *out) ++{ ++ memset(out, 0, 16); ++ store_16_be(KG2_TOK_WRAP_MSG, out); ++ out2 = FLAG_WRAP_CONFIDENTIAL; ++ out3 = 0xFF; ++ store_16_be(ec, out + 4); ++} ++ + /* Unwrap a superficially valid RFC 1964 token with a CFX-only context, with + * regular and IOV unwrap. */ + static void +@@ -238,6 +257,134 @@ test_bogus_1964_token(gss_ctx_id_t ctx) + free(in.value); + } + ++static void ++test_cfx_altered_ec(gss_ctx_id_t ctx, krb5_key subkey) ++{ ++ OM_uint32 major, minor; ++ uint8_t tokbuf128, plainbuf24; ++ krb5_data plain; ++ krb5_enc_data cipher; ++ gss_buffer_desc in, out; ++ gss_iov_buffer_desc iov2; ++ ++ /* Construct a header with a plaintext EC value of 3. */ ++ write_cfx_header(3, tokbuf); ++ ++ /* Encrypt a plaintext and a copy of the header with the EC value 0. */ ++ memcpy(plainbuf, "truncate", 8); ++ memcpy(plainbuf + 8, tokbuf, 16); ++ store_16_be(0, plainbuf + 12); ++ plain = make_data(plainbuf, 24); ++ cipher.ciphertext.data = (char *)tokbuf + 16; ++ cipher.ciphertext.length = sizeof(tokbuf) - 16; ++ cipher.enctype = subkey->keyblock.enctype; ++ if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL, ++ &plain, &cipher) != 0) ++ abort(); ++ ++ /* Verify that the token is rejected by gss_unwrap(). */ ++ in.value = tokbuf; ++ in.length = 16 + cipher.ciphertext.length; ++ major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL); ++ if (major != GSS_S_DEFECTIVE_TOKEN) ++ abort(); ++ (void)gss_release_buffer(&minor, &out); ++ ++ /* Verify that the token is rejected by gss_unwrap_iov(). */ ++ iov0.type = GSS_IOV_BUFFER_TYPE_STREAM; ++ iov0.buffer = in; ++ iov1.type = GSS_IOV_BUFFER_TYPE_DATA; ++ major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2); ++ if (major != GSS_S_DEFECTIVE_TOKEN) ++ abort(); ++} ++ ++static void ++test_cfx_short_plaintext(gss_ctx_id_t ctx, krb5_key subkey) ++{ ++ OM_uint32 major, minor; ++ uint8_t tokbuf128, zerobyte = 0; ++ krb5_data plain; ++ krb5_enc_data cipher; ++ gss_buffer_desc in, out; ++ ++ write_cfx_header(0, tokbuf); ++ ++ /* Encrypt a single byte, with no copy of the header. */ ++ plain = make_data(&zerobyte, 1); ++ cipher.ciphertext.data = (char *)tokbuf + 16; ++ cipher.ciphertext.length = sizeof(tokbuf) - 16; ++ cipher.enctype = subkey->keyblock.enctype; ++ if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL, ++ &plain, &cipher) != 0) ++ abort(); ++ ++ /* Verify that the token is rejected by gss_unwrap(). */ ++ in.value = tokbuf; ++ in.length = 16 + cipher.ciphertext.length; ++ major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL); ++ if (major != GSS_S_DEFECTIVE_TOKEN) ++ abort(); ++ (void)gss_release_buffer(&minor, &out); ++} ++ ++static void ++test_cfx_large_ec(gss_ctx_id_t ctx, krb5_key subkey) ++{ ++ OM_uint32 major, minor; ++ uint8_t tokbuf128 = { 0 }, plainbuf20; ++ krb5_data plain; ++ krb5_enc_data cipher; ++ gss_buffer_desc in, out; ++ ++ /* Construct a header with an EC value of 5. */ ++ write_cfx_header(5, tokbuf); ++ ++ /* Encrypt a 4-byte plaintext plus the header. */ ++ memcpy(plainbuf, "abcd", 4); ++ memcpy(plainbuf + 4, tokbuf, 16); ++ plain = make_data(plainbuf, 20); ++ cipher.ciphertext.data = (char *)tokbuf + 16; ++ cipher.ciphertext.length = sizeof(tokbuf) - 16; ++ cipher.enctype = subkey->keyblock.enctype; ++ if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL, ++ &plain, &cipher) != 0) ++ abort(); ++ ++ /* Verify that the token is rejected by gss_unwrap(). */ ++ in.value = tokbuf; ++ in.length = 16 + cipher.ciphertext.length; ++ major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL); ++ if (major != GSS_S_DEFECTIVE_TOKEN) ++ abort(); ++ (void)gss_release_buffer(&minor, &out); ++} ++ ++static void ++test_iov_large_asn1_wrapper(gss_ctx_id_t ctx) ++{ ++ OM_uint32 minor, major; ++ uint8_t databuf10 = { 0 }; ++ gss_iov_buffer_desc iov2; ++ ++ /* ++ * In this IOV array, the header contains a DER tag with a dangling eight ++ * bytes of length field. The data IOV indicates a total token length ++ * sufficient to contain the length bytes. ++ */ ++ iov0.type = GSS_IOV_BUFFER_TYPE_HEADER; ++ iov0.buffer.value = ealloc(2); ++ iov0.buffer.length = 2; ++ memcpy(iov0.buffer.value, "\x60\x88", 2); ++ iov1.type = GSS_IOV_BUFFER_TYPE_DATA; ++ iov1.buffer.value = databuf; ++ iov1.buffer.length = 10; ++ major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2); ++ if (major != GSS_S_DEFECTIVE_TOKEN) ++ abort(); ++ free(iov0.buffer.value); ++} ++ + /* Process wrap and MIC tokens with incomplete headers. */ + static void + test_short_header(gss_ctx_id_t ctx) +@@ -387,9 +534,7 @@ try_accept(void *value, size_t len) + gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; + + /* Copy the provided value to make input overruns more obvious. */ +- in.value = malloc(len); +- if (in.value == NULL) +- abort(); ++ in.value = ealloc(len); + memcpy(in.value, value, len); + in.length = len; + (void)gss_accept_sec_context(&minor, &ctx, GSS_C_NO_CREDENTIAL, &in, +@@ -424,11 +569,23 @@ test_short_encapsulation() + int + main(int argc, char **argv) + { ++ krb5_keyblock kb; ++ krb5_key cfx_subkey; + gss_ctx_id_t ctx; + size_t i; + +- ctx = make_fake_cfx_context(); ++ kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96; ++ kb.length = 16; ++ kb.contents = (unsigned char *)"1234567887654321"; ++ if (krb5_k_create_key(NULL, &kb, &cfx_subkey) != 0) ++ abort(); ++ ++ ctx = make_fake_cfx_context(cfx_subkey); + test_bogus_1964_token(ctx); ++ test_cfx_altered_ec(ctx, cfx_subkey); ++ test_cfx_short_plaintext(ctx, cfx_subkey); ++ test_cfx_large_ec(ctx, cfx_subkey); ++ test_iov_large_asn1_wrapper(ctx); + free_fake_context(ctx); + + for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) { +-- +2.33.0 +
View file
_service:tar_scm:backport-Change-krb5_get_credentials-endtime-behavior.patch
Added
@@ -0,0 +1,77 @@ +From e68890329f8ab766f9b746351b5c7d2d18d8dd48 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Thu, 27 Jun 2024 07:25:21 -0400 +Subject: PATCH Change krb5_get_credentials() endtime behavior + +Historically, krb5_get_credentials() uses in_creds->times.endtime both +as the TGS request endtime and as a cache lookup criterion. These +uses are in conflict; setting a TGS request endtime can only serve to +limit the maximum lifetime of the issued ticket, while a cache lookup +endtime restricts the minimum lifetime of an acceptable cached ticket. +The likely outcome is to never use a cached ticket, leading to poor +performance as we add an entry to the cache for each request. + +Change to the Heimdal behavior of using in_creds->times.endtime only +as the TGS request endtime. + +ticket: 9132 (new) +--- + src/include/krb5/krb5.hin | 8 ++++---- + src/lib/krb5/krb/get_creds.c | 13 +++++-------- + 2 files changed, 9 insertions(+), 12 deletions(-) + +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index 7c4fc10dd4..99b637872f 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -3043,10 +3043,10 @@ krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts); + * session key type is specified in @a in_creds->keyblock.enctype, if it is + * nonzero. + * +- * The expiration date is specified in @a in_creds->times.endtime. +- * The KDC may return tickets with an earlier expiration date. +- * If @a in_creds->times.endtime is set to 0, the latest possible +- * expiration date will be requested. ++ * If @a in_creds->times.endtime is specified, it is used as the requested ++ * expiration date if a TGS request is made. If @a in_creds->times.endtime is ++ * set to 0, the latest possible expiration date will be requested. The KDC or ++ * cache may return a ticket with an earlier expiration date. + * + * Any returned ticket and intermediate ticket-granting tickets are stored + * in @a ccache. +diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c +index e986844a71..00becae965 100644 +--- a/src/lib/krb5/krb/get_creds.c ++++ b/src/lib/krb5/krb/get_creds.c +@@ -53,18 +53,16 @@ construct_matching_creds(krb5_context context, krb5_flags options, + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields) + { ++ krb5_error_code ret; ++ + if (!in_creds || !in_creds->server || !in_creds->client) + return EINVAL; + + memset(mcreds, 0, sizeof(krb5_creds)); + mcreds->magic = KV5M_CREDS; +- if (in_creds->times.endtime != 0) { +- mcreds->times.endtime = in_creds->times.endtime; +- } else { +- krb5_error_code retval; +- retval = krb5_timeofday(context, &mcreds->times.endtime); +- if (retval != 0) return retval; +- } ++ ret = krb5_timeofday(context, &mcreds->times.endtime); ++ if (ret) ++ return ret; + mcreds->keyblock = in_creds->keyblock; + mcreds->authdata = in_creds->authdata; + mcreds->server = in_creds->server; +@@ -75,7 +73,6 @@ construct_matching_creds(krb5_context context, krb5_flags options, + | KRB5_TC_SUPPORTED_KTYPES; + if (mcreds->keyblock.enctype) { + krb5_enctype *ktypes; +- krb5_error_code ret; + int i; + + *fields |= KRB5_TC_MATCH_KTYPE;
View file
_service:tar_scm:backport-Fix-Python-regexp-literals.patch
Added
@@ -0,0 +1,44 @@ +From 4b21b2e2821d3cb91042be09e0ebe09707a57d72 Mon Sep 17 00:00:00 2001 +From: Arjun <pkillarjun@protonmail.com> +Date: Thu, 9 May 2024 20:47:08 +0530 +Subject: PATCH Fix Python regexp literals + +Add missing "r" prefixes before literals using regexp escape +sequences. + +ghudson@mit.edu: split into separate commit; rewrote commit message + +Reference: https://github.com/krb5/krb5/commit/4b21b2e2821d3cb91042be09e0ebe09707a57d72 +Conflict: NA + +--- + src/util/cstyle-file.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/util/cstyle-file.py b/src/util/cstyle-file.py +index 837fa05..56b1e32 100644 +--- a/src/util/cstyle-file.py ++++ b/src/util/cstyle-file.py +@@ -208,7 +208,7 @@ def check_assignment_in_conditional(line, ln): + + + def indent(line): +- return len(re.match('\s*', line).group(0).expandtabs()) ++ return len(re.match(r'\s*', line).group(0).expandtabs()) + + + def check_unbraced_flow_body(line, ln, lines): +@@ -220,8 +220,8 @@ def check_unbraced_flow_body(line, ln, lines): + if m and (m.group(1) is None) != (m.group(3) is None): + warn(ln, 'One arm of if/else statement braced but not the other') + +- if (re.match('\s*(if|else if|for|while)\s*\(.*\)$', line) or +- re.match('\s*else$', line)): ++ if (re.match(r'\s*(if|else if|for|while)\s*\(.*\)$', line) or ++ re.match(r'\s*else$', line)): + base = indent(line) + # Look at the next two lines (ln is 1-based so linesln is next). + if indent(linesln) > base and indent(linesln + 1) > base: +-- +2.33.0 +
View file
_service:tar_scm:backport-Fix-more-non-prototype-functions.patch
Added
@@ -0,0 +1,857 @@ +From 623d649ba852839ba4822934bad9f97c184bf3ab Mon Sep 17 00:00:00 2001 +From: Arjun <pkillarjun@protonmail.com> +Date: Thu, 9 May 2024 20:47:08 +0530 +Subject: PATCH Fix more non-prototype functions + +Add "void" designations to more function declarations and definitions +not changed by commits 3ae9244cd021a75eba909d872a92c25db490714d and +4b9d7f7c107f01a61600fddcd8cde3812d0366a2. + +ghudson@mit.edu: change additional functions; split into two commits; +rewrote commit message + +Reference:https://github.com/krb5/krb5/commit/623d649ba852839ba4822934bad9f97c184bf3ab +Conflict: src/lib/crypto/crypto_tests/vectors.c + +--- + src/ccapi/common/win/OldCC/ccutils.c | 2 +- + src/ccapi/common/win/OldCC/ccutils.h | 2 +- + src/ccapi/common/win/OldCC/util.h | 2 +- + src/ccapi/common/win/win-utils.c | 2 +- + src/ccapi/common/win/win-utils.h | 4 +- + src/ccapi/lib/ccapi_context.h | 2 +- + src/ccapi/lib/win/dllmain.h | 2 +- + src/ccapi/server/ccs_server.c | 2 +- + src/ccapi/server/ccs_server.h | 2 +- + src/ccapi/server/win/WorkQueue.h | 8 +-- + src/ccapi/test/pingtest.c | 2 +- + src/include/gssrpc/netdb.h | 4 +- + src/include/port-sockets.h | 2 +- + src/kadmin/cli/getdate.y | 2 +- + src/kadmin/dbutil/kdb5_util.c | 2 +- + src/kprop/kprop.c | 2 +- + src/lib/crypto/crypto_tests/t_pkcs5.c | 4 +- + src/lib/crypto/crypto_tests/vectors.c | 8 +-- + src/lib/gssapi/generic/maptest.c | 2 +- + src/lib/krb5/ccache/ccapi/stdcc.c | 6 +- + src/lib/krb5/ccache/ccapi/winccld.c | 9 ++- + src/lib/krb5/ccache/ccbase.c | 2 +- + src/lib/krb5/krb/bld_princ.c | 4 +- + src/lib/krb5/krb/conv_creds.c | 2 +- + src/lib/krb5/krb/init_ctx.c | 2 +- + src/lib/krb5/os/dnsglue.c | 4 +- + src/lib/krb5/os/localaddr.c | 6 +- + src/lib/rpc/getrpcent.c | 6 +- + src/lib/win_glue.c | 8 +-- + src/plugins/kdb/db2/kdb_db2.c | 4 +- + src/plugins/kdb/db2/libdb2/hash/dbm.c | 2 +- + .../kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 4 +- + src/tests/threads/gss-perf.c | 4 +- + src/tests/threads/init_ctx.c | 2 +- + src/tests/threads/profread.c | 2 +- + src/tests/threads/t_rcache.c | 2 +- + src/util/et/com_err.c | 4 +- + src/util/et/error_message.c | 2 +- + src/util/profile/prof_file.c | 4 +- + src/util/support/secure_getenv.c | 2 +- + src/windows/include/leashwin.h | 60 +++++++++---------- + 41 files changed, 99 insertions(+), 98 deletions(-) + +diff --git a/src/ccapi/common/win/OldCC/ccutils.c b/src/ccapi/common/win/OldCC/ccutils.c +index 403c67e..7abaefa 100644 +--- a/src/ccapi/common/win/OldCC/ccutils.c ++++ b/src/ccapi/common/win/OldCC/ccutils.c +@@ -30,7 +30,7 @@ + #include "cci_debugging.h" + #include "util.h" + +-BOOL isNT() { ++BOOL isNT(void) { + OSVERSIONINFO osvi; + DWORD status = 0; + BOOL bSupportedVersion = FALSE; +diff --git a/src/ccapi/common/win/OldCC/ccutils.h b/src/ccapi/common/win/OldCC/ccutils.h +index 9da3d87..0fb7e14 100644 +--- a/src/ccapi/common/win/OldCC/ccutils.h ++++ b/src/ccapi/common/win/OldCC/ccutils.h +@@ -33,7 +33,7 @@ extern "C" { + #define REPLY_SUFFIX (char*)"reply" + #define LISTEN_SUFFIX (char*)"listen" + +-BOOL isNT(); ++BOOL isNT(void); + char* allocEventName (char* uuid, char* suffix); + HANDLE createThreadEvent(char* uuid, char* suffix); + HANDLE openThreadEvent (char* uuid, char* suffix); +diff --git a/src/ccapi/common/win/OldCC/util.h b/src/ccapi/common/win/OldCC/util.h +index 45e069a..7ee5319 100644 +--- a/src/ccapi/common/win/OldCC/util.h ++++ b/src/ccapi/common/win/OldCC/util.h +@@ -30,7 +30,7 @@ + extern "C" { + #endif + +-BOOL isNT(); ++BOOL isNT(void); + + void* + user_allocate( +diff --git a/src/ccapi/common/win/win-utils.c b/src/ccapi/common/win/win-utils.c +index b49cca8..d9018a6 100644 +--- a/src/ccapi/common/win/win-utils.c ++++ b/src/ccapi/common/win/win-utils.c +@@ -60,7 +60,7 @@ char* serverEndpoint(const char* user) { + return _serverEndpoint; + } + +-char* timestamp() { ++char* timestamp(void) { + SYSTEMTIME _stime; + GetSystemTime(&_stime); + GetTimeFormat(LOCALE_SYSTEM_DEFAULT, 0, &_stime, "HH:mm:ss", _ts, sizeof(_ts)-1); +diff --git a/src/ccapi/common/win/win-utils.h b/src/ccapi/common/win/win-utils.h +index 41cab24..94d0a9f 100644 +--- a/src/ccapi/common/win/win-utils.h ++++ b/src/ccapi/common/win/win-utils.h +@@ -50,6 +50,6 @@ char* clientEndpoint(const char* UUID); + char* serverEndpoint(const char* UUID); + extern unsigned char* pszProtocolSequence; + +-char* timestamp(); ++char* timestamp(void); + +-#endif // _win_utils_h +\ No newline at end of file ++#endif // _win_utils_h +diff --git a/src/ccapi/lib/ccapi_context.h b/src/ccapi/lib/ccapi_context.h +index 51b8982..88f0ee8 100644 +--- a/src/ccapi/lib/ccapi_context.h ++++ b/src/ccapi/lib/ccapi_context.h +@@ -79,7 +79,7 @@ cc_int32 ccapi_context_compare (cc_context_t in_context, + cc_uint32 *out_equal); + + #ifdef WIN32 +-void cci_thread_init__auxinit(); ++void cci_thread_init__auxinit(void); + #endif + + +diff --git a/src/ccapi/lib/win/dllmain.h b/src/ccapi/lib/win/dllmain.h +index 8238566..28ca34e 100644 +--- a/src/ccapi/lib/win/dllmain.h ++++ b/src/ccapi/lib/win/dllmain.h +@@ -32,7 +32,7 @@ + extern "C" { // we need to export the C interface + #endif + +-DWORD GetTlsIndex(); ++DWORD GetTlsIndex(void); + + #ifdef __cplusplus + } +diff --git a/src/ccapi/server/ccs_server.c b/src/ccapi/server/ccs_server.c +index 1fc8d2c..de74b71 100644 +--- a/src/ccapi/server/ccs_server.c ++++ b/src/ccapi/server/ccs_server.c +@@ -402,7 +402,7 @@ cc_int32 ccs_server_send_reply (ccs_pipe_t in_reply_pipe, + + /* ------------------------------------------------------------------------ */ + +-cc_uint64 ccs_server_client_count () ++cc_uint64 ccs_server_client_count (void) + { + return ccs_client_array_count (g_client_array); + } +diff --git a/src/ccapi/server/ccs_server.h b/src/ccapi/server/ccs_server.h +index e920ad9..f71ab06 100644 +--- a/src/ccapi/server/ccs_server.h ++++ b/src/ccapi/server/ccs_server.h +@@ -48,6 +48,6 @@ cc_int32 ccs_server_send_reply (ccs_pipe_t in_reply_pipe, + cc_int32 in_reply_err, + k5_ipc_stream in_reply_data); + +-cc_uint64 ccs_server_client_count (); ++cc_uint64 ccs_server_client_count (void); + + #endif /* CCS_SERVER_H */ +diff --git a/src/ccapi/server/win/WorkQueue.h b/src/ccapi/server/win/WorkQueue.h +index 68aa8b1..66a2960 100644 +--- a/src/ccapi/server/win/WorkQueue.h ++++ b/src/ccapi/server/win/WorkQueue.h +@@ -29,14 +29,14 @@ + #include "windows.h" + #include "ccs_pipe.h" + +-EXTERN_C int worklist_initialize(); ++EXTERN_C int worklist_initialize(void); + +-EXTERN_C int worklist_cleanup(); ++EXTERN_C int worklist_cleanup(void); + + /* Wait for work to be added to the list (via worklist_add) from another thread */ +-EXTERN_C void worklist_wait(); ++EXTERN_C void worklist_wait(void); + +-EXTERN_C BOOL worklist_isEmpty(); ++EXTERN_C BOOL worklist_isEmpty(void); + + EXTERN_C int worklist_add( const long rpcmsg, + const ccs_pipe_t pipe, +diff --git a/src/ccapi/test/pingtest.c b/src/ccapi/test/pingtest.c +index 0ffc15e..24327c2 100644 +--- a/src/ccapi/test/pingtest.c ++++ b/src/ccapi/test/pingtest.c +@@ -23,7 +23,7 @@ extern cc_int32 cci_os_ipc_msg( cc_int32 in_launch_server, + + static DWORD dwTlsIndex; + +-DWORD GetTlsIndex() {return dwTlsIndex;} ++DWORD GetTlsIndex(void) {return dwTlsIndex;} + + RPC_STATUS send_test(char* endpoint) { + unsigned char* pszNetworkAddress = NULL; +diff --git a/src/include/gssrpc/netdb.h b/src/include/gssrpc/netdb.h +index f933fbb..2f62edf 100644 +--- a/src/include/gssrpc/netdb.h ++++ b/src/include/gssrpc/netdb.h +@@ -53,6 +53,8 @@ struct rpcent { + }; + #endif /*STRUCT_RPCENT_IN_RPC_NETDB_H*/ + +-struct rpcent *getrpcbyname(), *getrpcbynumber(), *getrpcent(); ++struct rpcent *getrpcbyname(const char *name); ++struct rpcent *getrpcbynumber(int number); ++struct rpcent *getrpcent(void); + + #endif +diff --git a/src/include/port-sockets.h b/src/include/port-sockets.h +index 57e5d1d..228e4cf 100644 +--- a/src/include/port-sockets.h ++++ b/src/include/port-sockets.h +@@ -111,7 +111,7 @@ static __inline void TranslatedWSASetLastError(int posix_error) + * Translate Winsock errors to their POSIX counterparts. This is necessary for + * MSVC 2010+, where both Winsock and POSIX errors are defined. + */ +-static __inline int TranslatedWSAGetLastError() ++static __inline int TranslatedWSAGetLastError(void) + { + int err = WSAGetLastError(); + switch (err) { +diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y +index d14cf96..6d80027 100644 +--- a/src/kadmin/cli/getdate.y ++++ b/src/kadmin/cli/getdate.y +@@ -778,7 +778,7 @@ LookupWord(char *buff) + + + static int +-yylex() ++yylex(void) + { + char c; + char *p; +diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c +index 19a5925..12c6d32 100644 +--- a/src/kadmin/dbutil/kdb5_util.c ++++ b/src/kadmin/dbutil/kdb5_util.c +@@ -74,7 +74,7 @@ int exit_status = 0; + krb5_context util_context; + kadm5_config_params global_params; + +-void usage() ++void usage(void) + { + fprintf(stderr, + _("Usage: kdb5_util -r realm -d dbname " +diff --git a/src/kprop/kprop.c b/src/kprop/kprop.c +index 8f9fd69..e8f7feb 100644 +--- a/src/kprop/kprop.c ++++ b/src/kprop/kprop.c +@@ -80,7 +80,7 @@ static void send_error(krb5_context context, krb5_creds *my_creds, int fd, + char *err_text, krb5_error_code err_code); + static void update_last_prop_file(char *hostname, char *file_name); + +-static void usage() ++static void usage(void) + { + fprintf(stderr, _("\nUsage: %s -r realm -f file -d -P port " + "-s keytab replica_host\n\n"), progname); +diff --git a/src/lib/crypto/crypto_tests/t_pkcs5.c b/src/lib/crypto/crypto_tests/t_pkcs5.c +index 8e87a80..f4bb33e 100644 +--- a/src/lib/crypto/crypto_tests/t_pkcs5.c ++++ b/src/lib/crypto/crypto_tests/t_pkcs5.c +@@ -38,7 +38,7 @@ static void printdata (krb5_data *d) { + printhex (d->length, d->data); + } + +-static void test_pbkdf2_rfc3211() ++static void test_pbkdf2_rfc3211(void) + { + char x100; + krb5_error_code err; +@@ -92,7 +92,7 @@ static void test_pbkdf2_rfc3211() + } + } + +-int main () ++int main(void) + { + test_pbkdf2_rfc3211(); + return 0; +diff --git a/src/lib/crypto/crypto_tests/vectors.c b/src/lib/crypto/crypto_tests/vectors.c +index eb107db..b40551d 100644 +--- a/src/lib/crypto/crypto_tests/vectors.c ++++ b/src/lib/crypto/crypto_tests/vectors.c +@@ -56,7 +56,7 @@ static void printdata (krb5_data *d) { printhex (d->length, d->data); } + + static void printkey (krb5_keyblock *k) { printhex (k->length, k->contents); } + +-static void test_nfold () ++static void test_nfold (void) + { + int i; + static const struct { +@@ -96,7 +96,7 @@ static void test_nfold () + so try to generate them. */ + + static void +-test_mit_des_s2k () ++test_mit_des_s2k (void) + { + static const struct { + const char *pass; +@@ -223,7 +223,7 @@ void DR (krb5_data *out, krb5_keyblock *in, const krb5_data *usage) { + #define KEYBYTES 21 + #define KEYLENGTH 24 + +-void test_dr_dk () ++void test_dr_dk (void) + { + static const struct { + unsigned char keydataKEYLENGTH; +@@ -367,7 +367,7 @@ static void printk(const char *descr, krb5_keyblock *k) { + + + static void +-test_pbkdf2() ++test_pbkdf2(void) + { + static struct { + int count; +diff --git a/src/lib/gssapi/generic/maptest.c b/src/lib/gssapi/generic/maptest.c +index 566d88c..ab3ed90 100644 +--- a/src/lib/gssapi/generic/maptest.c ++++ b/src/lib/gssapi/generic/maptest.c +@@ -42,7 +42,7 @@ static void intprt(int v, FILE *f) + + foo foo1; + +-int main () ++int main (void) + { + elt v1 = { 1, 2 }, v2 = { 3, 4 }; + const elt *vp; +diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c +index 427b329..9cd2ad3 100644 +--- a/src/lib/krb5/ccache/ccapi/stdcc.c ++++ b/src/lib/krb5/ccache/ccapi/stdcc.c +@@ -101,7 +101,7 @@ krb5_cc_ops krb5_cc_stdcc_ops = { + * changes made. We register a unique message type with which + * we'll communicate to all other processes. + */ +-static void cache_changed() ++static void cache_changed(void) + { + static unsigned int message = 0; + +@@ -112,7 +112,7 @@ static void cache_changed() + } + #else /* _WIN32 */ + +-static void cache_changed() ++static void cache_changed(void) + { + return; + } +@@ -242,7 +242,7 @@ static krb5_error_code stdccv3_setup (krb5_context context, + } + + /* krb5_stdcc_shutdown is exported; use the old name */ +-void krb5_stdcc_shutdown() ++void krb5_stdcc_shutdown(void) + { + if (gCntrlBlock) { cc_context_release(gCntrlBlock); } + gCntrlBlock = NULL; +diff --git a/src/lib/krb5/ccache/ccapi/winccld.c b/src/lib/krb5/ccache/ccapi/winccld.c +index 8b2e90c..62b1bd7 100644 +--- a/src/lib/krb5/ccache/ccapi/winccld.c ++++ b/src/lib/krb5/ccache/ccapi/winccld.c +@@ -18,8 +18,8 @@ extern const krb5_cc_ops krb5_fcc_ops; + + static int krb5_win_ccdll_loaded = 0; + +-extern void krb5_win_ccdll_load(); +-extern int krb5_is_ccdll_loaded(); ++extern void krb5_win_ccdll_load(krb5_context context); ++extern int krb5_is_ccdll_loaded(void); + + /* + * return codes +@@ -81,8 +81,7 @@ static int LoadFuncs(const char* dll_name, FUNC_INFO fi, + return LF_OK; + } + +-void krb5_win_ccdll_load(context) +- krb5_context context; ++void krb5_win_ccdll_load(krb5_context context) + { + krb5_cc_register(context, &krb5_fcc_ops, 0); + if (krb5_win_ccdll_loaded) +@@ -93,7 +92,7 @@ void krb5_win_ccdll_load(context) + krb5_cc_dfl_ops = &krb5_cc_stdcc_ops; /* Use stdcc! */ + } + +-int krb5_is_ccdll_loaded() ++int krb5_is_ccdll_loaded(void) + { + return krb5_win_ccdll_loaded; + } +diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c +index 5a01320..696b681 100644 +--- a/src/lib/krb5/ccache/ccbase.c ++++ b/src/lib/krb5/ccache/ccbase.c +@@ -614,7 +614,7 @@ k5_cccol_unlock(krb5_context context) + + /* necessary to make reentrant locks play nice with krb5int_cc_finalize */ + void +-k5_cccol_force_unlock() ++k5_cccol_force_unlock(void) + { + /* sanity check */ + if ((&cccol_lock)->refcount == 0) { +diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c +index ff8265a..701454f 100644 +--- a/src/lib/krb5/krb/bld_princ.c ++++ b/src/lib/krb5/krb/bld_princ.c +@@ -170,13 +170,13 @@ const krb5_principal_data anon_princ = { + }; + + const krb5_data * KRB5_CALLCONV +-krb5_anonymous_realm() ++krb5_anonymous_realm(void) + { + return &anon_realm_data; + } + + krb5_const_principal KRB5_CALLCONV +-krb5_anonymous_principal() ++krb5_anonymous_principal(void) + { + return &anon_princ; + } +diff --git a/src/lib/krb5/krb/conv_creds.c b/src/lib/krb5/krb/conv_creds.c +index 6f46088..8d0a317 100644 +--- a/src/lib/krb5/krb/conv_creds.c ++++ b/src/lib/krb5/krb/conv_creds.c +@@ -55,7 +55,7 @@ krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, + return KRB524_KRB4_DISABLED; + } + +-void KRB5_CALLCONV krb524_init_ets () ++void KRB5_CALLCONV krb524_init_ets (void) + { + } + #endif +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index 18290b7..e7bd226 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -65,7 +65,7 @@ static krb5_enctype default_enctype_list = { + }; + + #if (defined(_WIN32)) +-extern krb5_error_code krb5_vercheck(); ++extern krb5_error_code krb5_vercheck(void); + extern void krb5_win_ccdll_load(krb5_context context); + #endif + +diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c +index 668a7a6..5da550c 100644 +--- a/src/lib/krb5/os/dnsglue.c ++++ b/src/lib/krb5/os/dnsglue.c +@@ -439,7 +439,7 @@ cleanup: + } + + char * +-k5_primary_domain() ++k5_primary_domain(void) + { + return NULL; + } +@@ -497,7 +497,7 @@ errout: + } + + char * +-k5_primary_domain() ++k5_primary_domain(void) + { + char *domain; + DECLARE_HANDLE(h); +diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c +index 92d765f..4e9d07f 100644 +--- a/src/lib/krb5/os/localaddr.c ++++ b/src/lib/krb5/os/localaddr.c +@@ -363,7 +363,7 @@ struct linux_ipv6_addr_list { + struct linux_ipv6_addr_list *next; + }; + static struct linux_ipv6_addr_list * +-get_linux_ipv6_addrs () ++get_linux_ipv6_addrs (void) + { + struct linux_ipv6_addr_list *lst = 0; + FILE *f; +@@ -1082,7 +1082,7 @@ static int print_addr (/*@unused@*/ void *dataptr, struct sockaddr *sa) + return 0; + } + +-int main () ++int main (void) + { + int r; + +@@ -1417,7 +1417,7 @@ get_localaddrs (krb5_context context, krb5_address ***addr, int use_profile) + * by Robert Quinn + */ + #if defined(_WIN32) +-static struct hostent *local_addr_fallback_kludge() ++static struct hostent *local_addr_fallback_kludge(void) + { + static struct hostent host; + static SOCKADDR_IN addr; +diff --git a/src/lib/rpc/getrpcent.c b/src/lib/rpc/getrpcent.c +index ad6793f..b3d94bc 100644 +--- a/src/lib/rpc/getrpcent.c ++++ b/src/lib/rpc/getrpcent.c +@@ -56,10 +56,10 @@ struct rpcdata { + char lineBUFSIZ+1; + char *domain; + } *rpcdata; +-static struct rpcdata *get_rpcdata(); ++static struct rpcdata *get_rpcdata(void); + +-static struct rpcent *interpret(); +-struct hostent *gethostent(); ++static struct rpcent *interpret(void); ++struct hostent *gethostent(void); + + static char RPCDB = "/etc/rpc"; + +diff --git a/src/lib/win_glue.c b/src/lib/win_glue.c +index d650cc3..011acda 100644 +--- a/src/lib/win_glue.c ++++ b/src/lib/win_glue.c +@@ -6,7 +6,7 @@ + #include "asn1_err.h" + #include "kdb5_err.h" + #include "profile.h" +-extern void krb5_stdcc_shutdown(); ++extern void krb5_stdcc_shutdown(void); + #endif + #ifdef GSSAPI + #include "gssapi/generic/gssapi_err_generic.h" +@@ -233,7 +233,7 @@ static int CallVersionServer(app_title, app_version, app_ini, code_cover) + #endif + + #ifdef TIMEBOMB +-static krb5_error_code do_timebomb() ++static krb5_error_code do_timebomb(void) + { + char buf1024; + long timeleft; +@@ -276,7 +276,7 @@ static krb5_error_code do_timebomb() + * doesn't allow you to make messaging calls from LibMain. So, we now + * do the timebomb/version server stuff from krb5_init_context(). + */ +-krb5_error_code krb5_vercheck() ++krb5_error_code krb5_vercheck(void) + { + static int verchecked = 0; + if (verchecked) +@@ -314,7 +314,7 @@ krb5_error_code krb5_vercheck() + + static HINSTANCE hlibinstance; + +-HINSTANCE get_lib_instance() ++HINSTANCE get_lib_instance(void) + { + return hlibinstance; + } +diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c +index 9a344a6..eb8610b 100644 +--- a/src/plugins/kdb/db2/kdb_db2.c ++++ b/src/plugins/kdb/db2/kdb_db2.c +@@ -1165,13 +1165,13 @@ krb5_db2_set_lockmode(krb5_context context, krb5_boolean mode) + * DAL API functions + */ + krb5_error_code +-krb5_db2_lib_init() ++krb5_db2_lib_init(void) + { + return 0; + } + + krb5_error_code +-krb5_db2_lib_cleanup() ++krb5_db2_lib_cleanup(void) + { + /* right now, no cleanup required */ + return 0; +diff --git a/src/plugins/kdb/db2/libdb2/hash/dbm.c b/src/plugins/kdb/db2/libdb2/hash/dbm.c +index 4878cbc..3e46778 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/dbm.c ++++ b/src/plugins/kdb/db2/libdb2/hash/dbm.c +@@ -97,7 +97,7 @@ kdb2_fetch(key) + } + + datum +-kdb2_firstkey() ++kdb2_firstkey(void) + { + datum item; + +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +index cee4b7b..5e77d5e 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +@@ -314,13 +314,13 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context, + * DAL API functions + */ + krb5_error_code +-krb5_ldap_lib_init() ++krb5_ldap_lib_init(void) + { + return 0; + } + + krb5_error_code +-krb5_ldap_lib_cleanup() ++krb5_ldap_lib_cleanup(void) + { + /* right now, no cleanup required */ + return 0; +diff --git a/src/tests/threads/gss-perf.c b/src/tests/threads/gss-perf.c +index f3630c2..0ca6d84 100644 +--- a/src/tests/threads/gss-perf.c ++++ b/src/tests/threads/gss-perf.c +@@ -78,7 +78,7 @@ static void usage (void) __attribute__((noreturn)); + static void set_target (char *); + + static void +-usage () ++usage (void) + { + fprintf (stderr, "usage: %s options service-name\n", prog); + fprintf (stderr, " service-name\tGSSAPI host-based service name (e.g., 'host@FQDN')\n"); +@@ -249,7 +249,7 @@ do_accept (gss_buffer_desc *msg, int iter) + } + + static gss_buffer_desc +-do_init () ++do_init (void) + { + OM_uint32 maj_stat, min_stat; + gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; +diff --git a/src/tests/threads/init_ctx.c b/src/tests/threads/init_ctx.c +index 42619a9..dc3d417 100644 +--- a/src/tests/threads/init_ctx.c ++++ b/src/tests/threads/init_ctx.c +@@ -57,7 +57,7 @@ static int do_pause; + static void usage (void) __attribute__((noreturn)); + + static void +-usage () ++usage (void) + { + fprintf (stderr, "usage: %s options \n", prog); + fprintf (stderr, "options:\n"); +diff --git a/src/tests/threads/profread.c b/src/tests/threads/profread.c +index be28ba4..69bdb05 100644 +--- a/src/tests/threads/profread.c ++++ b/src/tests/threads/profread.c +@@ -59,7 +59,7 @@ static int do_pause; + static void usage (void) __attribute__((noreturn)); + + static void +-usage () ++usage (void) + { + fprintf (stderr, "usage: %s options \n", prog); + fprintf (stderr, "options:\n"); +diff --git a/src/tests/threads/t_rcache.c b/src/tests/threads/t_rcache.c +index 07c45cc..8121429 100644 +--- a/src/tests/threads/t_rcache.c ++++ b/src/tests/threads/t_rcache.c +@@ -51,7 +51,7 @@ int n_threads = DEFAULT_N_THREADS; + int interval = DEFAULT_INTERVAL; + int *ip; + +-static void wait_for_tick () ++static void wait_for_tick (void) + { + time_t now, next; + now = time(0); +diff --git a/src/util/et/com_err.c b/src/util/et/com_err.c +index c1e3be7..2e74a4f 100644 +--- a/src/util/et/com_err.c ++++ b/src/util/et/com_err.c +@@ -35,7 +35,7 @@ static /*@null@*/ et_old_error_hook_func com_err_hook = 0; + k5_mutex_t com_err_hook_lock = K5_MUTEX_PARTIAL_INITIALIZER; + + #if defined(_WIN32) +-BOOL isGuiApp() { ++BOOL isGuiApp(void) { + DWORD mypid; + HANDLE myprocess; + mypid = GetCurrentProcessId(); +@@ -161,7 +161,7 @@ et_old_error_hook_func set_com_err_hook (et_old_error_hook_func new_proc) + return x; + } + +-et_old_error_hook_func reset_com_err_hook () ++et_old_error_hook_func reset_com_err_hook (void) + { + et_old_error_hook_func x; + +diff --git a/src/util/et/error_message.c b/src/util/et/error_message.c +index 7dc02a3..460f18c 100644 +--- a/src/util/et/error_message.c ++++ b/src/util/et/error_message.c +@@ -303,7 +303,7 @@ remove_error_table(const struct error_table *et) + return ENOENT; + } + +-int com_err_finish_init() ++int com_err_finish_init(void) + { + return CALL_INIT_FUNCTION(com_err_initialize); + } +diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c +index 78d7f94..96001d5 100644 +--- a/src/util/profile/prof_file.c ++++ b/src/util/profile/prof_file.c +@@ -546,11 +546,11 @@ void profile_dereference_data_locked(prf_data_t data) + profile_free_file_data(data); + } + +-void profile_lock_global() ++void profile_lock_global(void) + { + k5_mutex_lock(&g_shared_trees_mutex); + } +-void profile_unlock_global() ++void profile_unlock_global(void) + { + k5_mutex_unlock(&g_shared_trees_mutex); + } +diff --git a/src/util/support/secure_getenv.c b/src/util/support/secure_getenv.c +index 6df0591..c9b34b6 100644 +--- a/src/util/support/secure_getenv.c ++++ b/src/util/support/secure_getenv.c +@@ -68,7 +68,7 @@ static int elevated_privilege = 0; + MAKE_INIT_FUNCTION(k5_secure_getenv_init); + + int +-k5_secure_getenv_init() ++k5_secure_getenv_init(void) + { + int saved_errno = errno; + +diff --git a/src/windows/include/leashwin.h b/src/windows/include/leashwin.h +index 08b9c7d..c85e6df 100644 +--- a/src/windows/include/leashwin.h ++++ b/src/windows/include/leashwin.h +@@ -160,51 +160,51 @@ void Leash_reset_defaults(void); + #define GOOD_TICKETS 1 + + /* Leash Configuration functions - alters Current User Registry */ +-DWORD Leash_get_default_lifetime(); ++DWORD Leash_get_default_lifetime(void); + DWORD Leash_set_default_lifetime(DWORD minutes); +-DWORD Leash_reset_default_lifetime(); +-DWORD Leash_get_default_renew_till(); ++DWORD Leash_reset_default_lifetime(void); ++DWORD Leash_get_default_renew_till(void); + DWORD Leash_set_default_renew_till(DWORD minutes); +-DWORD Leash_reset_default_renew_till(); +-DWORD Leash_get_default_renewable(); ++DWORD Leash_reset_default_renew_till(void); ++DWORD Leash_get_default_renewable(void); + DWORD Leash_set_default_renewable(DWORD onoff); +-DWORD Leash_reset_default_renewable(); +-DWORD Leash_get_default_forwardable(); ++DWORD Leash_reset_default_renewable(void); ++DWORD Leash_get_default_forwardable(void); + DWORD Leash_set_default_forwardable(DWORD onoff); +-DWORD Leash_reset_default_forwardable(); +-DWORD Leash_get_default_noaddresses(); ++DWORD Leash_reset_default_forwardable(void); ++DWORD Leash_get_default_noaddresses(void); + DWORD Leash_set_default_noaddresses(DWORD onoff); +-DWORD Leash_reset_default_noaddresses(); +-DWORD Leash_get_default_proxiable(); ++DWORD Leash_reset_default_noaddresses(void); ++DWORD Leash_get_default_proxiable(void); + DWORD Leash_set_default_proxiable(DWORD onoff); +-DWORD Leash_reset_default_proxiable(); +-DWORD Leash_get_default_publicip(); ++DWORD Leash_reset_default_proxiable(void); ++DWORD Leash_get_default_publicip(void); + DWORD Leash_set_default_publicip(DWORD ipv4addr); +-DWORD Leash_reset_default_publicip(); +-DWORD Leash_get_hide_kinit_options(); ++DWORD Leash_reset_default_publicip(void); ++DWORD Leash_get_hide_kinit_options(void); + DWORD Leash_set_hide_kinit_options(DWORD onoff); +-DWORD Leash_reset_hide_kinit_options(); +-DWORD Leash_get_default_life_min(); ++DWORD Leash_reset_hide_kinit_options(void); ++DWORD Leash_get_default_life_min(void); + DWORD Leash_set_default_life_min(DWORD minutes); +-DWORD Leash_reset_default_life_min(); +-DWORD Leash_get_default_life_max(); ++DWORD Leash_reset_default_life_min(void); ++DWORD Leash_get_default_life_max(void); + DWORD Leash_set_default_life_max(DWORD minutes); +-DWORD Leash_reset_default_life_max(); +-DWORD Leash_get_default_renew_min(); ++DWORD Leash_reset_default_life_max(void); ++DWORD Leash_get_default_renew_min(void); + DWORD Leash_set_default_renew_min(DWORD minutes); +-DWORD Leash_reset_default_renew_min(); +-DWORD Leash_get_default_renew_max(); ++DWORD Leash_reset_default_renew_min(void); ++DWORD Leash_get_default_renew_max(void); + DWORD Leash_set_default_renew_max(DWORD minutes); +-DWORD Leash_reset_default_renew_max(); +-DWORD Leash_get_default_uppercaserealm(); ++DWORD Leash_reset_default_renew_max(void); ++DWORD Leash_get_default_uppercaserealm(void); + DWORD Leash_set_default_uppercaserealm(DWORD onoff); +-DWORD Leash_reset_default_uppercaserealm(); +-DWORD Leash_get_default_mslsa_import(); ++DWORD Leash_reset_default_uppercaserealm(void); ++DWORD Leash_get_default_mslsa_import(void); + DWORD Leash_set_default_mslsa_import(DWORD onoffmatch); +-DWORD Leash_reset_default_mslsa_import(); +-DWORD Leash_get_default_preserve_kinit_settings(); ++DWORD Leash_reset_default_mslsa_import(void); ++DWORD Leash_get_default_preserve_kinit_settings(void); + DWORD Leash_set_default_preserve_kinit_settings(DWORD onoff); +-DWORD Leash_reset_default_preserve_kinit_settings(); ++DWORD Leash_reset_default_preserve_kinit_settings(void); + #ifdef __cplusplus + } + #endif +-- +2.33.0 +
View file
_service:tar_scm:backport-Handle-empty-initial-buffer-in-IAKERB-initiator.patch
Added
@@ -0,0 +1,38 @@ +From 5f0023d5f05e95021a7caa1193f76f86871222ce Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@samba.org> +Date: Wed, 8 May 2024 10:10:56 +0200 +Subject: PATCH Handle empty initial buffer in IAKERB initiator + +Section 5.19 of RFC 2744 (about gss_init_sec_context) states, +"Initially, the input_token parameter should be specified either as +GSS_C_NO_BUFFER, or as a pointer to a gss_buffer_desc object whose +length field contains the value zero." In iakerb_initiator_step(), +handle both cases when deciding whether to parse an acceptor message. + +ghudson@mit.edu: edited commit message + +ticket: 9126 (new) + +Reference: https://github.com/krb5/krb5/commit/5f0023d5f05e95021a7caa1193f76f86871222ce +Conflict: NA + +--- + src/lib/gssapi/krb5/iakerb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index b0d0ede..7a3ad1c 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -539,7 +539,7 @@ iakerb_initiator_step(iakerb_ctx_id_t ctx, + output_token->length = 0; + output_token->value = NULL; + +- if (input_token != GSS_C_NO_BUFFER) { ++ if (input_token != GSS_C_NO_BUFFER && input_token->length > 0) { + code = iakerb_parse_token(ctx, 0, input_token, NULL, &cookie, &in); + if (code != 0) + goto cleanup; +-- +2.33.0 +
View file
_service:tar_scm:fix-leak-in-KDC-NDR-encoding.patch
Added
@@ -0,0 +1,42 @@ +From 0c2de238b5bf1ea4578e3933a604c7850905b8be Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Tue, 5 Mar 2024 17:38:49 -0500 +Subject: PATCH Fix leak in KDC NDR encoding + +If the KDC tries to encode a principal containing encode invalid UTF-8 +sequences for inclusion in a PAC delegation info buffer, it will leak +a small amount of memory in enc_wchar_pointer() before failing. Fix +the leak. + +(cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe) + +ticket: 9115 +version_fixed: 1.21.3 + +--- + src/kdc/ndr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c +index 48395ab..d438408 100644 +--- a/src/kdc/ndr.c ++++ b/src/kdc/ndr.c +@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out) + size_t utf16len, num_wchars; + uint8_t *utf16; + +- k5_buf_init_dynamic(&b); +- + ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len); + if (ret) + return ret; + + num_wchars = utf16len / 2; + ++ k5_buf_init_dynamic(&b); + k5_buf_add_uint32_le(&b, num_wchars + 1); + k5_buf_add_uint32_le(&b, 0); + k5_buf_add_uint32_le(&b, num_wchars); +-- +2.27.0 +
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/krb5.git</param> - <param name="revision">master</param> + <param name="revision">openEuler-24.09</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2