The branch, master has been updated via b12a33e2251 third_party/heimdal: import lorikeet-heimdal-202311290849 (commit 84fb4579594a5fd8f8462450777eb24d5832be07) via f65a17e7abb lib:crypto: Use bytearray macros from 83edfcff5cc vfs_ceph: call 'ceph_fgetxattr' only if valid fd
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit b12a33e225197ec71285586ec44140b421f2e5c6 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Nov 29 22:46:28 2023 +1300 third_party/heimdal: import lorikeet-heimdal-202311290849 (commit 84fb4579594a5fd8f8462450777eb24d5832be07) Some of our pending PRs for Heimdal were recently accepted, so this brings in a new update (mostly improved spelling). Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Nov 30 21:25:56 UTC 2023 on atb-devel-224 commit f65a17e7abb83b2d352fd7f75d3a32b7a729b76c Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 30 08:32:45 2023 +0100 lib:crypto: Use bytearray macros Do not use old macros which are not descriptive by the name. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: lib/crypto/gnutls_sp800_108.c | 4 +- third_party/heimdal/kdc/kerberos5.c | 17 +++--- third_party/heimdal/kdc/krb5tgs.c | 2 +- third_party/heimdal/kdc/pkinit.c | 10 ++-- third_party/heimdal/kuser/kinit.c | 2 +- third_party/heimdal/lib/base/json.c | 2 +- third_party/heimdal/lib/hdb/ext.c | 8 +-- third_party/heimdal/lib/hx509/cert.c | 26 ++++----- third_party/heimdal/lib/hx509/cms.c | 64 +++++++++++----------- third_party/heimdal/lib/hx509/crypto-ec.c | 2 +- third_party/heimdal/lib/hx509/crypto.c | 4 +- third_party/heimdal/lib/hx509/hx509_err.et | 2 +- third_party/heimdal/lib/hx509/req.c | 2 +- third_party/heimdal/lib/hx509/revoke.c | 32 +++++------ third_party/heimdal/lib/hx509/test_cms.in | 2 +- third_party/heimdal/lib/kadm5/bump_pw_expire.c | 7 ++- third_party/heimdal/lib/krb5/cache.c | 4 +- third_party/heimdal/lib/krb5/crypto.c | 10 ++-- third_party/heimdal/lib/krb5/digest.c | 2 +- third_party/heimdal/lib/krb5/init_creds_pw.c | 34 ++++++------ third_party/heimdal/lib/krb5/krb5.conf.5 | 3 +- third_party/heimdal/lib/krb5/krb5_err.et | 2 +- third_party/heimdal/lib/krb5/pac.c | 4 +- third_party/heimdal/lib/krb5/pkinit.c | 16 +++--- third_party/heimdal/lib/krb5/store.c | 34 ++++++------ third_party/heimdal/lib/roken/parse_time-test.c | 1 + third_party/heimdal/lib/wind/utf8.c | 8 +-- third_party/heimdal/po/heimdal_krb5/de.po | 2 +- .../heimdal/po/heimdal_krb5/heimdal_krb5.pot | 2 +- third_party/heimdal/po/heimdal_krb5/sv_SE.po | 2 +- 30 files changed, 159 insertions(+), 151 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/crypto/gnutls_sp800_108.c b/lib/crypto/gnutls_sp800_108.c index dc04354d3d2..65710657bae 100644 --- a/lib/crypto/gnutls_sp800_108.c +++ b/lib/crypto/gnutls_sp800_108.c @@ -41,7 +41,7 @@ static NTSTATUS samba_gnutls_sp800_108_derive_key_part( static const uint8_t zero = 0; int rc; - RSIVAL(buf, 0, i); + PUSH_BE_U32(buf, 0, i); rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf)); if (rc < 0) { return gnutls_error_to_ntstatus(rc, @@ -69,7 +69,7 @@ static NTSTATUS samba_gnutls_sp800_108_derive_key_part( return gnutls_error_to_ntstatus( rc, NT_STATUS_HMAC_NOT_SUPPORTED); } - RSIVAL(buf, 0, L); + PUSH_BE_U32(buf, 0, L); rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf)); if (rc < 0) { return gnutls_error_to_ntstatus( diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index 76cecd3e12f..5991711a289 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -1125,7 +1125,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) ret = pa_enc_ts_decrypt_kvno(r, kvno, &enc_data, &ts_data, &pa_key); if (ret == KRB5KDC_ERR_ETYPE_NOSUPP) { char *estr; - _kdc_set_e_text(r, "No key matching entype"); + _kdc_set_e_text(r, "No key matching enctype"); if(krb5_enctype_to_string(r->context, enc_data.etype, &estr)) estr = NULL; if(estr == NULL) @@ -1143,6 +1143,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) kvno); goto out; } + if (ret == KRB5KDC_ERR_PREAUTH_FAILED) { krb5_error_code ret2; const char *msg = krb5_get_error_message(r->context, ret); @@ -1211,7 +1212,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) krb5_data_free(&ts_data); if(ret){ ret = KRB5KDC_ERR_PREAUTH_FAILED; - _kdc_r_log(r, 4, "Failed to decode PA-ENC-TS_ENC -- %s", + _kdc_r_log(r, 4, "Failed to decode PA-ENC-TS-ENC -- %s", r->cname); goto out; } @@ -1846,7 +1847,7 @@ get_pa_etype_info2(krb5_context context, } /* - * Return 0 if the client have only older enctypes, this is for + * Return 0 if the client has only older enctypes, this is for * determining if the server should send ETYPE_INFO2 or not. */ @@ -2895,7 +2896,7 @@ _kdc_as_rep(astgs_request_t r) if(r->client->flags.postdate && r->server->flags.postdate) r->et.flags.may_postdate = f.allow_postdate; else if (f.allow_postdate){ - _kdc_set_e_text(r, "Ticket may not be postdate"); + _kdc_set_e_text(r, "Ticket may not be postdateable"); ret = KRB5KDC_ERR_POLICY; goto out; } @@ -2936,7 +2937,7 @@ _kdc_as_rep(astgs_request_t r) _kdc_fix_time(&b->till); t = *b->till; - /* be careful not overflowing */ + /* be careful not to overflow */ /* * Pre-auth can override r->client->max_life if configured. @@ -3075,7 +3076,7 @@ _kdc_as_rep(astgs_request_t r) } /* - * Check and session and reply keys + * Check session and reply keys */ if (r->session_key.keytype == ETYPE_NULL) { @@ -3085,7 +3086,7 @@ _kdc_as_rep(astgs_request_t r) } if (r->reply_key.keytype == ETYPE_NULL) { - _kdc_set_e_text(r, "Client have no reply key"); + _kdc_set_e_text(r, "Client has no reply key"); ret = KRB5KDC_ERR_CLIENT_NOTYET; goto out; } @@ -3169,7 +3170,7 @@ _kdc_as_rep(astgs_request_t r) goto out; /* - * Check if message too large + * Check if message is too large */ if (r->datagram_reply && r->reply->length > config->max_datagram_reply_length) { krb5_data_free(r->reply); diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index af80450c4b0..d744f5610f3 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -1789,7 +1789,7 @@ server_lookup: break; if(i == b->etype.len) { kdc_log(context, config, 4, - "Addition ticket have not matching etypes"); + "Addition ticket has no matching etypes"); krb5_clear_error_message(context); ret = KRB5KDC_ERR_ETYPE_NOSUPP; kdc_audit_addreason((kdc_request_t)priv, diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c index 255441ce071..c853359bbc2 100644 --- a/third_party/heimdal/kdc/pkinit.c +++ b/third_party/heimdal/kdc/pkinit.c @@ -534,8 +534,8 @@ _kdc_pk_rd_padata(astgs_request_t priv, } /* - * If the client sent more then 10 EDI, don't bother - * looking more then 10 of performance reasons. + * If the client sent more than 10 EDIs, don't bother + * looking at more than 10 for performance reasons. */ maxedi = edi->len; if (maxedi > 10) @@ -873,7 +873,7 @@ pk_mk_pa_reply_enckey(krb5_context context, *kdc_cert = NULL; /* - * If the message client is a win2k-type but it send pa data + * If the message client is a win2k-type but it sends pa data * 09-binding it expects a IETF (checksum) reply so there can be * no replay attacks. */ @@ -1533,7 +1533,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) krb5_data_free(&ocsp.data); ocsp.expire = 0; } else if (ocsp.expire > 180) { - ocsp.expire -= 180; /* refetch the ocsp before it expire */ + ocsp.expire -= 180; /* refetch the ocsp before it expires */ ocsp.next_update = ocsp.expire; } else { ocsp.next_update = kdc_time; @@ -1808,7 +1808,7 @@ _kdc_pk_check_client(astgs_request_t r, if (strcmp(*subject_name, acl->val[0].subject) != 0) continue; - /* Don't support isser and anchor checking right now */ + /* Don't support issuer and anchor checking right now */ if (acl->val[0].issuer) continue; if (acl->val[0].anchor) diff --git a/third_party/heimdal/kuser/kinit.c b/third_party/heimdal/kuser/kinit.c index 8df1c1b796f..9a2fac642ad 100644 --- a/third_party/heimdal/kuser/kinit.c +++ b/third_party/heimdal/kuser/kinit.c @@ -221,7 +221,7 @@ static struct getargs args[] = { NP_("use this credential cache as FAST armor cache", ""), "cache" }, { "use-referrals", 0, arg_flag, &use_referrals_flag, - NP_("only use referrals, no dns canalisation", ""), NULL }, + NP_("only use referrals, no dns canonicalisation", ""), NULL }, { "windows", 0, arg_flag, &windows_flag, NP_("get windows behavior", ""), NULL }, diff --git a/third_party/heimdal/lib/base/json.c b/third_party/heimdal/lib/base/json.c index 4fa0f2d5aff..ed4ea683308 100644 --- a/third_party/heimdal/lib/base/json.c +++ b/third_party/heimdal/lib/base/json.c @@ -976,7 +976,7 @@ parse_string(struct parse_ctx *ctx) /* NUL-terminate for rk_base64_decode() and plain paranoia */ if (p0 != NULL && p == pend) { /* - * Work out how far p is into p0 to re-esablish p after + * Work out how far p is into p0 to re-establish p after * the realloc() */ size_t p0_to_pend_len = (pend - p0); diff --git a/third_party/heimdal/lib/hdb/ext.c b/third_party/heimdal/lib/hdb/ext.c index 48683ef1607..465a235f744 100644 --- a/third_party/heimdal/lib/hdb/ext.c +++ b/third_party/heimdal/lib/hdb/ext.c @@ -43,7 +43,7 @@ hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) return 0; /* - * check for unknown extensions and if they where tagged mandatory + * check for unknown extensions and if they were tagged mandatory */ for (i = 0; i < ent->extensions->len; i++) { @@ -52,7 +52,7 @@ hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) continue; if (ent->extensions->val[i].mandatory) { krb5_set_error_message(context, HDB_ERR_MANDATORY_OPTION, - "Principal have unknown " + "Principal has unknown " "mandatory extension"); return HDB_ERR_MANDATORY_OPTION; } @@ -592,7 +592,7 @@ hdb_validate_key_rotation(krb5_context context, if (new_kr->base_kvno <= last_kvno) { krb5_set_error_message(context, EINVAL, "New key rotation base kvno must be larger " - "the last kvno for the current key " + "than the last kvno for the current key " "rotation (%u)", last_kvno); return EINVAL; } @@ -751,7 +751,7 @@ hdb_entry_add_key_rotation(krb5_context context, ((kr->epoch - prev_kr->epoch) / prev_kr->period))) { krb5_set_error_message(context, EINVAL, "New key rotation base kvno must be larger " - "the last kvno for the current key " + "than the last kvno for the current key " "rotation (%u)", last_kvno); return EINVAL; } diff --git a/third_party/heimdal/lib/hx509/cert.c b/third_party/heimdal/lib/hx509/cert.c index e7e2423c54d..4fcb4ba8da9 100644 --- a/third_party/heimdal/lib/hx509/cert.c +++ b/third_party/heimdal/lib/hx509/cert.c @@ -237,13 +237,13 @@ hx509_set_warn_dest(hx509_context context, heim_log_facility *fac) /** * Selects if the hx509_revoke_verify() function is going to require - * the existans of a revokation method (OCSP, CRL) or not. Note that - * hx509_verify_path(), hx509_cms_verify_signed(), and other function + * the existence of a revocation method (OCSP, CRL) or not. Note that + * hx509_verify_path(), hx509_cms_verify_signed(), and other functions * call hx509_revoke_verify(). * * @param context hx509 context to change the flag for. - * @param flag zero, revokation method required, non zero missing - * revokation method ok + * @param flag zero, revocation method required, non zero missing + * revocation method ok * * @ingroup hx509_verify */ @@ -555,7 +555,7 @@ hx509_cert_ref(hx509_cert cert) } /** - * Allocate an verification context that is used fo control the + * Allocate an verification context that is used to control the * verification process. * * @param context A hx509 context. @@ -952,7 +952,7 @@ hx509_cert_find_subjectAltName_otherName(hx509_context context, ret = add_to_list(list, &sa.val[j].u.otherName.value); if (ret) { hx509_set_error_string(context, 0, ret, - "Error adding an exra SAN to " + "Error adding an extra SAN to " "return list"); hx509_free_octet_string_list(list); free_GeneralNames(&sa); @@ -2436,7 +2436,7 @@ hx509_verify_path(hx509_context context, /* * The subject name of the proxy certificate should be - * CN=XXX,<proxy issuer>, prune of CN and check if its + * CN=XXX,<proxy issuer>. Prune off CN and check if it's * the same over the whole chain of proxy certs and * then check with the EE cert when we get to it. */ @@ -2496,7 +2496,7 @@ hx509_verify_path(hx509_context context, } else { /* * Now we are done with the proxy certificates, this - * cert was an EE cert and we we will fall though to + * cert was an EE cert and we will fall though to * EE checking below. */ type = EE_CERT; @@ -2505,9 +2505,9 @@ hx509_verify_path(hx509_context context, HEIM_FALLTHROUGH; case EE_CERT: /* - * If there where any proxy certificates in the chain + * If there were any proxy certificates in the chain * (proxy_cert_depth > 0), check that the proxy issuer - * matched proxy certificates "base" subject. + * matched the proxy certificate's "base" subject. */ if (proxy_cert_depth) { @@ -2598,7 +2598,7 @@ hx509_verify_path(hx509_context context, } /* - * Verify that no certificates has been revoked. + * Verify that no certificates have been revoked. */ if (ctx->revoke_ctx) { @@ -2681,7 +2681,7 @@ hx509_verify_path(hx509_context context, goto out; } /* - * Verify that the sigature algorithm is not weak. Ignore + * Verify that the signature algorithm is not weak. Ignore * trust anchors since they are provisioned by the user. */ @@ -2708,7 +2708,7 @@ out: * @param signer the certificate that made the signature. * @param alg algorthm that was used to sign the data. * @param data the data that was signed. - * @param sig the sigature to verify. + * @param sig the signature to verify. * * @return An hx509 error code, see hx509_get_error_string(). * diff --git a/third_party/heimdal/lib/hx509/cms.c b/third_party/heimdal/lib/hx509/cms.c index 8615f03ee81..1723f3a6424 100644 --- a/third_party/heimdal/lib/hx509/cms.c +++ b/third_party/heimdal/lib/hx509/cms.c @@ -117,8 +117,8 @@ hx509_cms_wrap_ContentInfo(const heim_oid *oid, * @param in the encoded buffer. * @param oid type of the content. * @param out data to be wrapped. - * @param have_data since the data is optional, this flags show dthe - * diffrence between no data and the zero length data. + * @param have_data since the data is optional, this flag shows the + * difference between no data and the zero length data. * * @return Returns an hx509 error code. * @@ -250,7 +250,7 @@ unparse_CMSIdentifier(hx509_context context, break; } default: - ret = asprintf(str, "certificate have unknown CMSidentifier type"); + ret = asprintf(str, "certificate has unknown CMSidentifier type"); break; } /* @@ -331,7 +331,7 @@ find_CMSIdentifier(hx509_context context, /** * Decode and unencrypt EnvelopedData. * - * Extract data and parameteres from from the EnvelopedData. Also + * Extract data and parameters from the EnvelopedData. Also * supports using detached EnvelopedData. * * @param context A hx509 context. @@ -342,7 +342,7 @@ find_CMSIdentifier(hx509_context context, * EnvelopedData stucture. * @param length length of the data that data point to. * @param encryptedContent in case of detached signature, this - * contains the actual encrypted data, othersize its should be NULL. + * contains the actual encrypted data, otherwise it should be NULL. * @param time_now set the current time, if zero the library uses now as the date. * @param contentType output type oid, should be freed with der_free_oid(). * @param content the data, free with der_free_octet_string(). @@ -437,7 +437,7 @@ hx509_cms_unenvelope(hx509_context context, hx509_cert_free(cert); if (ret == 0) - break; /* succuessfully decrypted cert */ + break; /* successfully decrypted cert */ cert = NULL; ret2 = unparse_CMSIdentifier(context, &ri->rid, &str); if (ret2 == 0) { @@ -531,17 +531,17 @@ out: } /** - * Encrypt end encode EnvelopedData. + * Encrypt and encode EnvelopedData. * * Encrypt and encode EnvelopedData. The data is encrypted with a * random key and the the random key is encrypted with the - * certificates private key. This limits what private key type can be + * certificate's private key. This limits what private key type can be * used to RSA. * * @param context A hx509 context. * @param flags flags to control the behavior. * - HX509_CMS_EV_NO_KU_CHECK - Don't check KU on certificate - * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo + * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crypto * - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number * @param cert Certificate to encrypt the EnvelopedData encryption key * with. @@ -773,12 +773,12 @@ find_attribute(const CMSAttributes *attr, const heim_oid *oid) * * @param context A hx509 context. * @param ctx a hx509 verify context. - * @param flags to control the behaivor of the function. + * @param flags to control the behavior of the function. * - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage * - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch * - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below. * @param data pointer to CMS SignedData encoded data. - * @param length length of the data that data point to. + * @param length length of the data that data points to. * @param signedContent external data used for signature. * @param pool certificate pool to build certificates paths. * @param contentType free with der_free_oid(). @@ -829,7 +829,7 @@ hx509_cms_verify_signed(hx509_context context, * - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch * - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below. * @param data pointer to CMS SignedData encoded data. - * @param length length of the data that data point to. + * @param length length of the data that data points to. * @param signedContent external data used for signature. * @param pool certificate pool to build certificates paths. * @param contentType free with der_free_oid(). @@ -939,7 +939,7 @@ hx509_cms_verify_signed_ext(hx509_context context, ret = HX509_CMS_MISSING_SIGNER_DATA; hx509_set_error_string(context, 0, ret, "SignerInfo %zu in SignedData " - "missing sigature", i); + "missing signature", i); continue; } @@ -972,22 +972,22 @@ hx509_cms_verify_signed_ext(hx509_context context, sa.val = signer_info->signedAttrs->val; sa.len = signer_info->signedAttrs->len; - /* verify that sigature exists */ + /* verify that signature exists */ attr = find_attribute(&sa, &asn1_oid_id_pkcs9_messageDigest); if (attr == NULL) { ret = HX509_CRYPTO_SIGNATURE_MISSING; hx509_set_error_string(context, 0, ret, - "SignerInfo have signed attributes " + "SignerInfo has signed attributes " "but messageDigest (signature) " "is missing"); - goto next_sigature; + goto next_signature; } if (attr->value.len != 1) { ret = HX509_CRYPTO_SIGNATURE_MISSING; hx509_set_error_string(context, 0, ret, - "SignerInfo have more then one " + "SignerInfo has more than one " "messageDigest (signature)"); - goto next_sigature; + goto next_signature; } ret = decode_MessageDigest(attr->value.val[0].data, @@ -998,7 +998,7 @@ hx509_cms_verify_signed_ext(hx509_context context, hx509_set_error_string(context, 0, ret, "Failed to decode " "messageDigest (signature)"); - goto next_sigature; + goto next_signature; } ret = _hx509_verify_signature(context, @@ -1010,7 +1010,7 @@ hx509_cms_verify_signed_ext(hx509_context context, if (ret) { hx509_set_error_string(context, HX509_ERROR_APPEND, ret, "Failed to verify messageDigest"); - goto next_sigature; + goto next_signature; } /* @@ -1024,8 +1024,8 @@ hx509_cms_verify_signed_ext(hx509_context context, if (attr->value.len != 1) { ret = HX509_CMS_DATA_OID_MISMATCH; hx509_set_error_string(context, 0, ret, - "More then one oid in signedAttrs"); - goto next_sigature; + "More than one oid in signedAttrs"); + goto next_signature; } ret = decode_ContentType(attr->value.val[0].data, @@ -1036,7 +1036,7 @@ hx509_cms_verify_signed_ext(hx509_context context, hx509_set_error_string(context, 0, ret, "Failed to decode " "oid in signedAttrs"); - goto next_sigature; + goto next_signature; } match_oid = &decode_oid; } @@ -1050,7 +1050,7 @@ hx509_cms_verify_signed_ext(hx509_context context, if (match_oid == &decode_oid) der_free_oid(&decode_oid); hx509_clear_error_string(context); - goto next_sigature; -- Samba Shared Repository