From cfec96d5e9fb2195f9e14e09bf66a68c969f4bbd Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 3 Nov 2023 14:27:52 +1300 Subject: [PATCH] third_party/heimdal: Import lorikeet-heimdal-202311030123 (commit 2346a67fe25cbf16128501665db41f6840546e15) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Nov 3 03:53:08 UTC 2023 on atb-devel-224 --- third_party/heimdal/kdc/fast.c | 18 +++-- third_party/heimdal/kdc/pkinit.c | 2 +- third_party/heimdal/lib/hcrypto/bn.c | 4 +- third_party/heimdal/lib/hcrypto/pkcs12.c | 4 +- third_party/heimdal/lib/hdb/common.c | 1 - third_party/heimdal/lib/hdb/hdb-ldap.c | 1 + third_party/heimdal/lib/hx509/ca.c | 13 ++-- third_party/heimdal/lib/hx509/cms.c | 2 +- third_party/heimdal/lib/hx509/hxtool.c | 2 + third_party/heimdal/lib/hx509/ks_file.c | 2 +- third_party/heimdal/lib/krb5/acache.c | 2 + third_party/heimdal/lib/krb5/build_ap_req.c | 6 +- third_party/heimdal/lib/krb5/context.c | 72 ++++++++++++++----- third_party/heimdal/lib/krb5/kx509.c | 2 +- third_party/heimdal/lib/krb5/pkinit.c | 4 +- third_party/heimdal/lib/krb5/store.c | 2 +- third_party/heimdal/lib/roken/base32.c | 16 ++--- .../heimdal/lib/wind/gen-punycode-examples.py | 8 +-- 18 files changed, 108 insertions(+), 53 deletions(-) diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index 7b96371723e..bc77f74664c 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -406,8 +406,8 @@ _kdc_fast_mk_e_data(astgs_request_t r, NULL, error_client, error_server, - NULL, - NULL, + csec, + cusec, e_data); if (ret) { kdc_log(r->context, r->config, 1, @@ -508,8 +508,8 @@ _kdc_fast_mk_error(astgs_request_t r, error_client = NULL; error_server = NULL; } - csec = 0; - cusec = 0; + csec = NULL; + cusec = NULL; } ret = krb5_mk_error(r->context, @@ -603,6 +603,9 @@ fast_unwrap_request(astgs_request_t r, * */ if (fxreq.u.armored_data.armor != NULL) { + krb5uint32 kvno; + krb5uint32 *kvno_ptr = NULL; + if (fxreq.u.armored_data.armor->armor_type != 1) { kdc_log(r->context, r->config, 4, "Incorrect AS-REQ armor type"); @@ -628,9 +631,14 @@ fast_unwrap_request(astgs_request_t r, goto out; } + if (ap_req.ticket.enc_part.kvno != NULL) { + kvno = *ap_req.ticket.enc_part.kvno; + kvno_ptr = &kvno; + } + ret = _kdc_db_fetch(r->context, r->config, armor_server_principal, HDB_F_GET_KRBTGT | HDB_F_DELAY_NEW_KEYS, - (krb5uint32 *)ap_req.ticket.enc_part.kvno, + kvno_ptr, &r->armor_serverdb, &r->armor_server); if(ret == HDB_ERR_NOT_FOUND_HERE) { free_AP_REQ(&ap_req); diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c index d97ae227ae6..255441ce071 100644 --- a/third_party/heimdal/kdc/pkinit.c +++ b/third_party/heimdal/kdc/pkinit.c @@ -1078,9 +1078,9 @@ pk_mk_pa_reply_dh(krb5_context context, unsigned char *p; ret = _kdc_serialize_ecdh_key(context, cp->u.ecdh.key, &p, &dh_info.subjectPublicKey.length); - dh_info.subjectPublicKey.data = p; if (ret) goto out; + dh_info.subjectPublicKey.data = p; } else krb5_abortx(context, "no keyex selected ?"); diff --git a/third_party/heimdal/lib/hcrypto/bn.c b/third_party/heimdal/lib/hcrypto/bn.c index 62297b145f1..9e9db4ec89a 100644 --- a/third_party/heimdal/lib/hcrypto/bn.c +++ b/third_party/heimdal/lib/hcrypto/bn.c @@ -235,7 +235,7 @@ static const unsigned char is_set[8] = { 1, 2, 4, 8, 16, 32, 64, 128 }; int BN_is_bit_set(const BIGNUM *bn, int bit) { - heim_integer *hi = (heim_integer *)bn; + const heim_integer *hi = (const heim_integer *)bn; unsigned char *p = hi->data; if ((bit / 8) >= hi->length || hi->length == 0) @@ -306,7 +306,7 @@ BN_set_word(BIGNUM *bn, unsigned long num) unsigned long BN_get_word(const BIGNUM *bn) { - heim_integer *hi = (heim_integer *)bn; + const heim_integer *hi = (const heim_integer *)bn; unsigned long num = 0; int i; diff --git a/third_party/heimdal/lib/hcrypto/pkcs12.c b/third_party/heimdal/lib/hcrypto/pkcs12.c index 5f0791feee3..29fc5243605 100644 --- a/third_party/heimdal/lib/hcrypto/pkcs12.c +++ b/third_party/heimdal/lib/hcrypto/pkcs12.c @@ -78,7 +78,7 @@ PKCS12_key_gen(const void *key, size_t keylen, if (salt && saltlen > 0) { for (i = 0; i < vlen; i++) - I[i] = ((unsigned char*)salt)[i % saltlen]; + I[i] = ((const unsigned char*)salt)[i % saltlen]; size_I += vlen; } /* @@ -89,7 +89,7 @@ PKCS12_key_gen(const void *key, size_t keylen, if (key) { for (i = 0; i < vlen / 2; i++) { I[(i * 2) + size_I] = 0; - I[(i * 2) + size_I + 1] = ((unsigned char*)key)[i % (keylen + 1)]; + I[(i * 2) + size_I + 1] = ((const unsigned char*)key)[i % (keylen + 1)]; } size_I += vlen; } diff --git a/third_party/heimdal/lib/hdb/common.c b/third_party/heimdal/lib/hdb/common.c index f86481dd9ea..3b8c7c5f7b6 100644 --- a/third_party/heimdal/lib/hdb/common.c +++ b/third_party/heimdal/lib/hdb/common.c @@ -1629,7 +1629,6 @@ fetch_it(krb5_context context, /* Extra ':'s? No virtualization for you! */ free(host); host = NULL; - htmp = NULL; } else { *htmp = '\0'; } diff --git a/third_party/heimdal/lib/hdb/hdb-ldap.c b/third_party/heimdal/lib/hdb/hdb-ldap.c index 5cd097f5b6b..902426d1276 100644 --- a/third_party/heimdal/lib/hdb/hdb-ldap.c +++ b/third_party/heimdal/lib/hdb/hdb-ldap.c @@ -366,6 +366,7 @@ LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry, if (ret) return ret; + memset(&tm, 0, sizeof tm); tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm); if (tmp == NULL) { free(gentime); diff --git a/third_party/heimdal/lib/hx509/ca.c b/third_party/heimdal/lib/hx509/ca.c index ee5d56af29c..02e256314d7 100644 --- a/third_party/heimdal/lib/hx509/ca.c +++ b/third_party/heimdal/lib/hx509/ca.c @@ -1187,8 +1187,7 @@ hx509_ca_tbs_add_san_permanentIdentifier_string(hx509_context context, p = strchr(freeme, ':'); if (!p) { hx509_set_error_string(context, 0, EINVAL, - "Invalid PermanentIdentifier string (should be \"[]:[]\")", - oidstr); + "Invalid PermanentIdentifier string (should be \"[]:[]\")"); free(freeme); return EINVAL; } @@ -1297,8 +1296,7 @@ hx509_ca_tbs_add_san_hardwareModuleName_string(hx509_context context, if (!p) { hx509_set_error_string(context, 0, EINVAL, "Invalid HardwareModuleName string (should be " - "\":\")", - oidstr); + "\":\")"); free(freeme); return EINVAL; } @@ -1735,7 +1733,12 @@ ca_sign(hx509_context context, hx509_set_error_string(context, 0, ret, "Out of memory"); goto out; } - RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length); + ret = RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length); + if (ret != 1) { + ret = HX509_CRYPTO_INTERNAL_ERROR; + hx509_set_error_string(context, 0, ret, "Failed to generate random bytes"); + goto out; + } ((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f; ((unsigned char *)tbsc->serialNumber.data)[0] |= 0x40; } diff --git a/third_party/heimdal/lib/hx509/cms.c b/third_party/heimdal/lib/hx509/cms.c index 6bf972ce492..8615f03ee81 100644 --- a/third_party/heimdal/lib/hx509/cms.c +++ b/third_party/heimdal/lib/hx509/cms.c @@ -938,7 +938,7 @@ hx509_cms_verify_signed_ext(hx509_context context, if (signer_info->signature.length == 0) { ret = HX509_CMS_MISSING_SIGNER_DATA; hx509_set_error_string(context, 0, ret, - "SignerInfo %d in SignedData " + "SignerInfo %zu in SignedData " "missing sigature", i); continue; } diff --git a/third_party/heimdal/lib/hx509/hxtool.c b/third_party/heimdal/lib/hx509/hxtool.c index 9dbb5ccb197..f61187163c3 100644 --- a/third_party/heimdal/lib/hx509/hxtool.c +++ b/third_party/heimdal/lib/hx509/hxtool.c @@ -2902,9 +2902,11 @@ ptime(const char *s) char *rest; int at_s; + memset(&at_tm, 0, sizeof at_tm); if ((rest = strptime(s, "%Y-%m-%dT%H:%M:%S", &at_tm)) != NULL && rest[0] == '\0') return mktime(&at_tm); + memset(&at_tm, 0, sizeof at_tm); if ((rest = strptime(s, "%Y%m%d%H%M%S", &at_tm)) != NULL && rest[0] == '\0') return mktime(&at_tm); if ((at_s = parse_time(s, "s")) != -1) diff --git a/third_party/heimdal/lib/hx509/ks_file.c b/third_party/heimdal/lib/hx509/ks_file.c index 6d8c77bd240..35796adb739 100644 --- a/third_party/heimdal/lib/hx509/ks_file.c +++ b/third_party/heimdal/lib/hx509/ks_file.c @@ -197,7 +197,7 @@ parse_pem_private_key(hx509_context context, const char *fn, int flags, if (strcmp(enc, "4,ENCRYPTED") != 0) { hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED, "Private key encrypted in unknown method %s " - "in file", + "in file %s", enc, fn); hx509_clear_error_string(context); return HX509_PARSING_KEY_FAILED; diff --git a/third_party/heimdal/lib/krb5/acache.c b/third_party/heimdal/lib/krb5/acache.c index 63d56c400bf..72403d7b38a 100644 --- a/third_party/heimdal/lib/krb5/acache.c +++ b/third_party/heimdal/lib/krb5/acache.c @@ -88,7 +88,9 @@ static krb5_error_code init_ccapi(krb5_context context) { const char *lib = NULL; +#ifdef HAVE_DLOPEN char *explib = NULL; +#endif HEIMDAL_MUTEX_lock(&acc_mutex); if (init_func) { diff --git a/third_party/heimdal/lib/krb5/build_ap_req.c b/third_party/heimdal/lib/krb5/build_ap_req.c index 01019520514..cb6f60d4a1f 100644 --- a/third_party/heimdal/lib/krb5/build_ap_req.c +++ b/third_party/heimdal/lib/krb5/build_ap_req.c @@ -51,7 +51,11 @@ krb5_build_ap_req (krb5_context context, ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0; ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0; - decode_Ticket(cred->ticket.data, cred->ticket.length, &ap.ticket, &len); + ret = decode_Ticket(cred->ticket.data, cred->ticket.length, &ap.ticket, &len); + if (ret) + return ret; + if (cred->ticket.length != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); ap.authenticator.etype = enctype; ap.authenticator.kvno = NULL; ap.authenticator.cipher = authenticator; diff --git a/third_party/heimdal/lib/krb5/context.c b/third_party/heimdal/lib/krb5/context.c index 19548d4130d..9d03a80afe2 100644 --- a/third_party/heimdal/lib/krb5/context.c +++ b/third_party/heimdal/lib/krb5/context.c @@ -284,29 +284,47 @@ init_context_from_config_file(krb5_context context) static krb5_error_code cc_ops_register(krb5_context context) { + krb5_error_code ret; + context->cc_ops = NULL; context->num_cc_ops = 0; #ifndef KCM_IS_API_CACHE - krb5_cc_register(context, &krb5_acc_ops, TRUE); + ret = krb5_cc_register(context, &krb5_acc_ops, TRUE); + if (ret) + return ret; #endif - krb5_cc_register(context, &krb5_fcc_ops, TRUE); - krb5_cc_register(context, &krb5_dcc_ops, TRUE); - krb5_cc_register(context, &krb5_mcc_ops, TRUE); + ret = krb5_cc_register(context, &krb5_fcc_ops, TRUE); + if (ret) + return ret; + ret = krb5_cc_register(context, &krb5_dcc_ops, TRUE); + if (ret) + return ret; + ret = krb5_cc_register(context, &krb5_mcc_ops, TRUE); + if (ret) + return ret; #ifdef HAVE_SCC - krb5_cc_register(context, &krb5_scc_ops, TRUE); + ret = krb5_cc_register(context, &krb5_scc_ops, TRUE); + if (ret) + return ret; #endif #ifdef HAVE_KCM #ifdef KCM_IS_API_CACHE - krb5_cc_register(context, &krb5_akcm_ops, TRUE); + ret = krb5_cc_register(context, &krb5_akcm_ops, TRUE); + if (ret) + return ret; #endif - krb5_cc_register(context, &krb5_kcm_ops, TRUE); + ret = krb5_cc_register(context, &krb5_kcm_ops, TRUE); + if (ret) + return ret; #endif #if defined(HAVE_KEYUTILS_H) - krb5_cc_register(context, &krb5_krcc_ops, TRUE); + ret = krb5_cc_register(context, &krb5_krcc_ops, TRUE); + if (ret) + return ret; #endif - _krb5_load_ccache_plugins(context); - return 0; + ret = _krb5_load_ccache_plugins(context); + return ret; } static krb5_error_code @@ -338,18 +356,30 @@ cc_ops_copy(krb5_context context, const krb5_context src_context) static krb5_error_code kt_ops_register(krb5_context context) { + krb5_error_code ret; + context->num_kt_types = 0; context->kt_types = NULL; - krb5_kt_register (context, &krb5_fkt_ops); - krb5_kt_register (context, &krb5_wrfkt_ops); - krb5_kt_register (context, &krb5_javakt_ops); - krb5_kt_register (context, &krb5_mkt_ops); + ret = krb5_kt_register (context, &krb5_fkt_ops); + if (ret) + return ret; + ret = krb5_kt_register (context, &krb5_wrfkt_ops); + if (ret) + return ret; + ret = krb5_kt_register (context, &krb5_javakt_ops); + if (ret) + return ret; + ret = krb5_kt_register (context, &krb5_mkt_ops); + if (ret) + return ret; #ifndef HEIMDAL_SMALLER - krb5_kt_register (context, &krb5_akf_ops); + ret = krb5_kt_register (context, &krb5_akf_ops); + if (ret) + return ret; #endif - krb5_kt_register (context, &krb5_any_ops); - return 0; + ret = krb5_kt_register (context, &krb5_any_ops); + return ret; } static krb5_error_code @@ -476,8 +506,12 @@ krb5_init_context(krb5_context *context) /* init error tables */ _krb5_init_ets(p); - cc_ops_register(p); - kt_ops_register(p); + ret = cc_ops_register(p); + if (ret) + goto out; + ret = kt_ops_register(p); + if (ret) + goto out; #ifdef PKINIT ret = hx509_context_init(&p->hx509ctx); diff --git a/third_party/heimdal/lib/krb5/kx509.c b/third_party/heimdal/lib/krb5/kx509.c index 7525739f66c..3bacdf10db0 100644 --- a/third_party/heimdal/lib/krb5/kx509.c +++ b/third_party/heimdal/lib/krb5/kx509.c @@ -1033,7 +1033,7 @@ rd_kx509_resp(krb5_context context, code = 0; /* No error */ } else if (r.error_code < 0) { code = KRB5KRB_ERR_GENERIC; /* ??? */ - } else if (r.error_code <= KX509_ERR_SRV_OVERLOADED) { + } else if (r.error_code <= KX509_ERR_SRV_OVERLOADED - ERROR_TABLE_BASE_kx59) { /* * RFC6717 (kx509) error code. These are actually not used on the * wire in any existing implementations that we are aware of. Just diff --git a/third_party/heimdal/lib/krb5/pkinit.c b/third_party/heimdal/lib/krb5/pkinit.c index e3707e203a4..0fcaf640955 100644 --- a/third_party/heimdal/lib/krb5/pkinit.c +++ b/third_party/heimdal/lib/krb5/pkinit.c @@ -448,7 +448,9 @@ build_auth_pack(krb5_context context, krb5_clear_error_message(context); return ret; } - RAND_bytes(a->clientDHNonce->data, a->clientDHNonce->length); + ret = RAND_bytes(a->clientDHNonce->data, a->clientDHNonce->length); + if (ret != 1) + return KRB5_CRYPTO_INTERNAL; ret = krb5_copy_data(context, a->clientDHNonce, &ctx->clientDHNonce); if (ret) diff --git a/third_party/heimdal/lib/krb5/store.c b/third_party/heimdal/lib/krb5/store.c index f95fd83aa95..e98dd4b9674 100644 --- a/third_party/heimdal/lib/krb5/store.c +++ b/third_party/heimdal/lib/krb5/store.c @@ -968,7 +968,7 @@ krb5_ret_data(krb5_storage *sp, bytes = sp->fetch(sp, data->data, size); if (bytes < 0 || bytes != size) { krb5_data_free(data); - return (ret < 0)? errno : sp->eof_code; + return (bytes < 0)? errno : sp->eof_code; } } return 0; diff --git a/third_party/heimdal/lib/roken/base32.c b/third_party/heimdal/lib/roken/base32.c index 1a275321644..9eb999a871a 100644 --- a/third_party/heimdal/lib/roken/base32.c +++ b/third_party/heimdal/lib/roken/base32.c @@ -91,14 +91,14 @@ rk_base32_encode(const void *data, int size, char **str, enum rk_base32_flags fl if (i < size) c += q[i]; i++; - p[0] = chars[(c & 0x00000000f800000000ULL) >> 35]; - p[1] = chars[(c & 0x0000000007c0000000ULL) >> 30]; - p[2] = chars[(c & 0x00000000003e000000ULL) >> 25]; - p[3] = chars[(c & 0x000000000001f00000ULL) >> 20]; - p[4] = chars[(c & 0x0000000000000f8000ULL) >> 15]; - p[5] = chars[(c & 0x000000000000007c00ULL) >> 10]; - p[6] = chars[(c & 0x0000000000000003e0ULL) >> 5]; - p[7] = chars[(c & 0x00000000000000001fULL) >> 0]; + p[0] = chars[(c & 0x000000f800000000ULL) >> 35]; + p[1] = chars[(c & 0x00000007c0000000ULL) >> 30]; + p[2] = chars[(c & 0x000000003e000000ULL) >> 25]; + p[3] = chars[(c & 0x0000000001f00000ULL) >> 20]; + p[4] = chars[(c & 0x00000000000f8000ULL) >> 15]; + p[5] = chars[(c & 0x0000000000007c00ULL) >> 10]; + p[6] = chars[(c & 0x00000000000003e0ULL) >> 5]; + p[7] = chars[(c & 0x000000000000001fULL) >> 0]; switch (i - size) { case 4: p[2] = p[3] = '='; HEIM_FALLTHROUGH; case 3: p[4] = '='; HEIM_FALLTHROUGH; diff --git a/third_party/heimdal/lib/wind/gen-punycode-examples.py b/third_party/heimdal/lib/wind/gen-punycode-examples.py index 0896f99d77d..8e47e569810 100644 --- a/third_party/heimdal/lib/wind/gen-punycode-examples.py +++ b/third_party/heimdal/lib/wind/gen-punycode-examples.py @@ -61,10 +61,10 @@ while True: l2 = re.sub('^ *', '', l2) l = l[:-2] + l2 if start: - if re.match('7\.2', l): + if re.match(r'7\.2', l): start = False else: - m = re.search('^ *\([A-Z]\) *(.*)$', l); + m = re.search(r'^ *\([A-Z]\) *(.*)$', l); if m: desc = m.group(1) codes = [] @@ -77,7 +77,7 @@ while True: if m: cases.append([codes, m.group(1), desc]) else: - if re.match('^7\.1', l): + if re.match(r'^7\.1', l): start = True cases = [] @@ -114,7 +114,7 @@ for x in cases: examples_c.file.write( " {%u, {%s}, \"%s\", \"%s\"},\n" % (len(cp), - ",".join([re.sub('[uU]\+', '0x', x) for x in cp]), + ",".join([re.sub(r'[uU]\+', '0x', x) for x in cp]), pc, desc))