SLFO-pool/libgsasl
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main libgsasl revision 7f2a519130867e0da4aff4008fb033eb

Browse Source
This commit is contained in:
Adrian Schröter 2024-05-03 15:01:18 +02:00
commit b81431b894
10 changed files with 2000 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

64
0001-Fix-build-issues-with-GCC-12-s-Werror-address.patch Normal file
View File

@ -0,0 +1,64 @@
From 27fbb4c1d6315e404b547dd9b50bdecc41a07eb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dirk=20M=C3=BCller?= <dmueller@suse.de>
Date: Fri, 28 Jan 2022 20:47:37 +0100
Subject: [PATCH] Fix build issues with GCC 12's -Werror=address
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
GCC 12 is able to detect that if(foo) when foo is a char foo[]
is always true, and hence errors out:
printerc:336:7: error: the comparison will always evaluate as 'true'
for the address of 'response' will never be NULL
336 | if (r->response)
| ^
In file included from printer.h:27,
from printer.c:28:
tokens.h:139:8: note: 'response' declared here
139 | char response[DIGEST_MD5_RESPONSE_LENGTH + 1];
| ^~~~~~~~
We can just remove those conditions.
Signed-off-by: Dirk Müller <dmueller@suse.de>
---
lib/digest-md5/printer.c | 11 +++++------
lib/digest-md5/validate.c | 3 ---
2 files changed, 5 insertions(+), 9 deletions(-)
--- a/digest-md5/printer.c
+++ b/digest-md5/printer.c
@@ -333,12 +333,11 @@ digest_md5_print_response (digest_md5_response * r)
return NULL;
}
- if (r->response)
- if (comma_append (&out, "response", r->response, 0) < 0)
- {
- free (out);
- return NULL;
- }
+ if (comma_append (&out, "response", r->response, 0) < 0)
+ {
+ free (out);
+ return NULL;
+ }
if (r->clientmaxbuf)
{
--- a/digest-md5/validate.c
+++ b/digest-md5/validate.c
@@ -102,9 +102,6 @@ digest_md5_validate_response (digest_md5_response * r)
int
digest_md5_validate_finish (digest_md5_finish * f)
{
- if (!f->rspauth)
- return -1;
-
/* A string of 32 hex digits */
if (strlen (f->rspauth) != DIGEST_MD5_RESPONSE_LENGTH)
return -1;
--
2.34.1

26
boundary-check-CVE-2022-2469.patch Normal file
View File

@ -0,0 +1,26 @@
From 796e4197f696261c1f872d7576371232330bcc30 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Fri, 15 Jul 2022 16:23:58 +0200
Subject: [PATCH] GSSAPI server: Boundary check gss_wrap token (read OOB).
---
lib/gssapi/server.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/gssapi/server.c b/lib/gssapi/server.c
index 5410360b..4ebfda47 100644
--- a/lib/gssapi/server.c
+++ b/lib/gssapi/server.c
@@ -218,6 +218,9 @@ _gsasl_gssapi_server_step (Gsasl_session * sctx,
FALSE, and responds with the generated output_message. The
client can then consider the server authenticated. */
+ if (bufdesc2.length < 4)
+ return GSASL_AUTHENTICATION_ERROR;
+
if ((((char *) bufdesc2.value)[0] & GSASL_QOP_AUTH) == 0)
{
/* Integrity or privacy unsupported */
--
GitLab

39
build-fix-old-gcc.patch Normal file
View File

@ -0,0 +1,39 @@
From fde722a4036cba8d7bdf72f50e159e543e54a8c4 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Sun, 24 Oct 2021 18:31:48 +0200
Subject: [PATCH] cicd: Fix builds.
---
.gitlab-ci.yml | 2 +-
lib/src/mechtools.c | 13 ++++++-------
2 files changed, 7 insertions(+), 8 deletions(-)
--- a/src/mechtools.c
+++ b/src/mechtools.c
@@ -225,17 +225,16 @@ _gsasl_gs2_generate_header (bool nonstd, char cbflag,
void
_gsasl_hex_encode (const char *in, size_t inlen, char *out)
{
- size_t i;
- const char *p = in;
+ static const char trans[] = "0123456789abcdef";
- for (i = 0; i < 2 * inlen;)
+ while (inlen--)
{
- unsigned char c = *p++;
- out[i++] = "0123456789abcdef"[c >> 4];
- out[i++] = "0123456789abcdef"[c & 0x0f];
+ unsigned char c = *in++;
+ *out++ = trans[(c >> 4) & 0xf];
+ *out++ = trans[c & 0xf];
}
- out[i] = '\0';
+ *out = '\0';
}
static char
--
GitLab

BIN
libgsasl-1.10.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

11
libgsasl-1.10.0.tar.gz.sig Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEmUFc4ZBdDlWp+IAmhgt/uzL4EZ0FAl/vVXoACgkQhgt/uzL4
EZ0JnAf7B8ZYYVpI9ER+LS9TfiD4TCv91YlfwH1oMRUpF4X3/llCj7HpBIXuVKqk
FzGxE9SIluJxAGxQdrwFV6TPM2eUsNmg8YJyKMurCKn/vGkEAAzPxt8Gp6K6eYp7
NrLaz9SBDXlhyw3Z2A/r8P0LniNA2y2FgXxxGehD66d/C0HGqJkT1MXBwCF5krlS
tKXjFXrXHzzmZcWA9oDmKBgQoqBUoSBnd57zIGvymw8oPkaTZok4b8F8Yi826SVW
AXsqLxdVdFw4ZrBtIv1hxyKWWqERua7wjEaQbRf62qX8niS40OpYSbjxX1W7dep3
DyGXFAj8ughMZ7auH3P4cvcazeUstA==
=kC/Q
-----END PGP SIGNATURE-----

268
libgsasl.changes Normal file
View File

@ -0,0 +1,268 @@
-------------------------------------------------------------------
Tue May 30 09:21:12 UTC 2023 - Adam Majer <adam.majer@suse.de>
- Remove URLs from keyring and generated patch as these can change
at whim of upstream servers. Keep the references in comments so
they are still references for the humans
- uninitialized_x.patch: fixes compilation on s390x
-------------------------------------------------------------------
Tue Oct 25 08:36:11 UTC 2022 - Dirk Müller <dmueller@suse.com>
- refresh keyring
-------------------------------------------------------------------
Tue Sep 27 14:43:58 UTC 2022 - Dirk Müller <dmueller@suse.com>
- add build-fix-old-gcc.patch for older dists
-------------------------------------------------------------------
Mon Sep 12 09:45:33 UTC 2022 - Dirk Müller <dmueller@suse.com>
- add boundary-check-CVE-2022-2469.patch (bsc#1201715)
- avoid duplicate packaging of license
-------------------------------------------------------------------
Mon Jan 31 18:54:07 UTC 2022 - Dirk Müller <dmueller@suse.com>
- add 0001-Fix-build-issues-with-GCC-12-s-Werror-address.patch
-------------------------------------------------------------------
Sat Jan 2 18:41:56 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
- update to 1.10.0:
* SCRAM-SHA-256 and SCRAM-SHA-256-PLUS (RFC 7677)
* New SCRAM crypto helper APIs
* SCRAM server: Support for password-less usage
* SCRAM: Sets SCRAM_ITER/SCRAM_SALT/SCRAM_SALTED_PASSWORD
* SCRAM, GS2, and GSSAPI no longer retrieve the TLS channel
binding data (property GSASL_CB_TLS_UNIQUE) during
gsasl_client_start() or gsasl_server_start()
* A number of legacy and less secure interfaces deprecated
* New APIs for hex encoding/decoding
- add upstream signing key and validate source signature
- refresh spec file
- build with all warnings and treat them as errors
-------------------------------------------------------------------
Fri Mar 13 22:31:19 UTC 2020 - David Mulder <dmulder@suse.com>
- Re-enable GSSAPI by explicitly choosing mit kerberos.
-------------------------------------------------------------------
Tue Feb 4 23:07:18 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 1.8.1:
* gsasl: IMAP client code now permits empty SASL tokens prefixed
with '+'. Normally servers should send '+ '. Buggy servers
include Microsoft Exchange.
* GSSAPI client:
- Now retrieves GSASL_AUTHZID for authorization identity.
- Can now transmit an empty/missing authorization identity.
- See lib/NEWS for more information.
* Build fixes: Update of gnulib, including how it is
bootstrapped.
* Updated translations.
- Run spec-cleaner, modernize spec.
- No longer recommend -lang: supplements are in use.
-------------------------------------------------------------------
Mon Apr 4 14:22:22 CEST 2016 - kukuk@suse.de
- Remove unused buildrequires for libgssglue-devel
-------------------------------------------------------------------
Tue Oct 27 14:44:53 UTC 2015 - meissner@suse.com
- run "make check"
-------------------------------------------------------------------
Sun Feb 8 23:38:09 UTC 2015 - p.drouand@gmail.com
- Update to version 1.8.0
* SAML20 support following RFC 6595.
* OPENID20 support following RFC 6616.
* Various cleanups, portability and other bug fixes.
See the NEWS entries during the 1.7.x branch for details
- Use %lang_package macro instead of manually defined -lang package
- Remove libgsasl-stdio.h.patch; fixed
- Remove fix-arm.patch; fixed
- Use download Url as source
-------------------------------------------------------------------
Thu May 2 04:59:03 UTC 2013 - jengelh@inai.de
- "Recommends" is not understood by RHEL6ish
-------------------------------------------------------------------
Thu Mar 21 08:45:52 UTC 2013 - dmueller@suse.com
- fix build on aarch64 by applying fix-arm.patch
-------------------------------------------------------------------
Mon Feb 11 13:54:19 UTC 2013 - aj@suse.com
- Change lang package Requires to Recommends since it is not
mandatory at runtime.
-------------------------------------------------------------------
Thu Aug 16 21:34:34 UTC 2012 - agraf@suse.com
- fix-arm.patch: Add hack to fix compiling on ARM
-------------------------------------------------------------------
Mon Aug 13 08:54:08 UTC 2012 - cfarrell@suse.com
- license update: LGPL-2.1+ and GPL-3.0+
contains numerous GPL-3.0+ licensed test files
-------------------------------------------------------------------
Sat Aug 11 13:44:34 UTC 2012 - jengelh@inai.de
- Have package compile on RHEL6ish.
-------------------------------------------------------------------
Fri Jul 27 08:14:09 UTC 2012 - aj@suse.de
- Fix build with missing gets declaration (glibc 2.16)
-------------------------------------------------------------------
Sun Mar 25 00:49:09 UTC 2012 - jengelh@medozas.de
- Enable building against libntlm (now that it exists in factory)
-------------------------------------------------------------------
Sun Mar 25 00:14:56 UTC 2012 - jengelh@medozas.de
- Parallel build with %_smp_mflags; strip redundant spec sections
-------------------------------------------------------------------
Fri Jul 8 01:31:06 CEST 2011 - vuntz@opensuse.org
- Stop using source service to download the tarball, as Factory
will move away from this.
-------------------------------------------------------------------
Fri May 27 17:40:04 CEST 2011 - vuntz@opensuse.org
- Update to version 1.6.1:
+ Add a Libs.private to libgsasl.pc.
+ Updated translations.
-------------------------------------------------------------------
Fri Apr 29 18:33:05 UTC 2011 - dimstar@opensuse.org
- Update to version 1.6.0:
+ SCRAM: General fixes and support for SCRAM-SHA-1-PLUS with
channel bindings.
+ GS2-KRB5: New mechanism GS2 with support for Kerberos V5.
+ GSSAPI/GS2-KRB5: Support for MIT Kerberos for Windows GSS-API
library.
+ DIGEST-MD5: The server code now returns GSASL_OK after the
final token.
+ Added property for tls-unique channel binding.
+ No longer require the same or newer libgcrypt it was built
with.
+ Several doc improvements.
+ Update gnulib files.
- Use source services: download_url, recompress and set_Version.
-------------------------------------------------------------------
Thu Mar 25 17:32:27 CET 2010 - vuntz@opensuse.org
- Update to version 1.4.4:
+ SCRAM: Fix build error on platforms without strnlen.
- Changes from version 1.4.3:
+ SCRAM: Don't read out of bounds when parsing tokens.
-------------------------------------------------------------------
Tue Mar 16 15:50:19 CET 2010 - dimstar@opensuse.org
- Update to version 1.4.2:
+ SCRAM: Encode and decode username/authzid properly. Before any
username/authzid that contained '=' or ',' would not work.
+ Fix typo in error message for
GSASL_GSSAPI_ACCEPT_SEC_CONTEXT_ERROR.
+ Updated translations.
-------------------------------------------------------------------
Wed Feb 17 11:57:31 CET 2010 - dimstar@opensuse.org
- Update to version 1.4.1:
+ gsasl: Improve application data throughput
+ Improve MinGW builds
+ Updated translations.
-------------------------------------------------------------------
Wed Dec 2 01:09:19 CET 2009 - vuntz@opensuse.org
- Update to version 1.4.0:
+ Fix Visual Studio project files to work with SCRAM.
+ Properly increment libtool version to reflect newly added ABIs.
This was accidentally forgotten in the last release.
+ Export gsasl_sha1 and gsasl_hmac_sha1 in linker version script.
This was accidentally forgotten in the last release.
+ Fix crash in SCRAM-SHA-1 client when the application provides a
value for GSASL_SCRAM_SALTED_PASSWORD.
+ Fix detection of libgcrypt during builds.
+ Updated translations.
+ Add libgcrypt-devel BuildRequires.
-------------------------------------------------------------------
Fri Nov 13 17:38:06 CET 2009 - vuntz@opensuse.org
- Update to version 1.3:
+ libgsasl: Implement SCRAM-SHA-1.
New properties are GSASL_SCRAM_ITER, GSASL_SCRAM_SALT,
andGSASL_SCRAM_SALTED_PASSWORD.
+ libgsasl: Add helper APIs for SHA-1 and HMAC-SHA-1.
New functions are gsasl_sha1 and gsasl_hmac_sha1.
-------------------------------------------------------------------
Sun Jun 14 04:07:09 CEST 2009 - vuntz@novell.com
- Update to version 1.2:
+ The library needs at most around 250 bytes of stack frame size.
This is useful for embedded platforms with limited amount of
RAM.
+ Obsolete gsasl_md5pwd_get_password rewritten to use modern API.
+ Include a copy of the GPLv3 license in the archive. Some parts,
such as the gnulib self-tests, are licensed under the GPLv3.
The library remains licensed under LGPLv2.1+ though.
- Package COPYING.LIB instead of COPYING: there's no GPLv3 file in
the built package (the GPLv3 files are only in the tarball).
-------------------------------------------------------------------
Wed Jun 10 17:21:15 CEST 2009 - dmueller@suse.de
- Add Requires for lang package to libgsasl7.
-------------------------------------------------------------------
Thu May 7 03:43:32 CEST 2009 - vuntz@novell.com
- Review package.
- Update to version 1.1:
+ DIGEST-MD5 client: Add support for client integrity layer.
+ DIGEST-MD5: Decoding of integrity protected sessions now works
better.
+ libgsasl: Add new property GSASL_QOPS.
+ libgsasl: Add new property GSASL_QOP.
+ DIGEST-MD5 client: Now queries application for QOP value
+ DIGEST-MD5 server: Now queries application for QOP values.
+ DIGEST-MD5 server: No longer advertises support for integrity
by default.
+ libgsasl: Added C pre-processor expressions for version
handling.
+ libgsasl: Use a LD version script on platforms where it is
supported.
+ libgsasl: Compiled with -fvisibility=hidden by default if
supported.
- Remove unneeded libxml2-devel BuildRequires.
- Add a note about libntlm that doesn't exist in openSUSE.
- Do not make libgsasl7 Provide/Obsolete libgsasl.
-------------------------------------------------------------------
Mon Mar 16 09:16:40 CET 2009 - novell@mirell.de
- initial SUSE package

1314
libgsasl.keyring Normal file
View File

File diff suppressed because it is too large Load Diff

120
libgsasl.spec Normal file
View File

@ -0,0 +1,120 @@
#
# spec file for package libgsasl
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: libgsasl
Version: 1.10.0
Release: 0
Summary: Implementation of the SASL framework and a few common SASL mechanisms
License: GPL-3.0-or-later AND LGPL-2.1-or-later
Group: Development/Libraries/C and C++
URL: https://www.gnu.org/software/gsasl/
Source0: https://ftp.gnu.org/gnu/gsasl/%{name}-%{version}.tar.gz
Source1: https://ftp.gnu.org/gnu/gsasl/%{name}-%{version}.tar.gz.sig
# https://josefsson.org/54265e8c.txt#/libgsasl.keyring
Source2: libgsasl.keyring
# https://lists.gnu.org/archive/html/help-gsasl/2022-01/msg00002.html
Patch1: 0001-Fix-build-issues-with-GCC-12-s-Werror-address.patch
# https://gitlab.com/gsasl/gsasl/-/commit/796e4197f696261c1f872d7576371232330bcc30.patch#/boundary-check-CVE-2022-2469.patch
Patch2: boundary-check-CVE-2022-2469.patch
Patch3: build-fix-old-gcc.patch
Patch4: uninitialized_x.patch
BuildRequires: gcc-c++
BuildRequires: gettext-devel >= 0.19.8
BuildRequires: pkgconfig
BuildRequires: pkgconfig(krb5-gssapi)
BuildRequires: pkgconfig(libgcrypt) >= 1.4.4
BuildRequires: pkgconfig(libidn)
BuildRequires: pkgconfig(libntlm) >= 0.3.5
# broken on s390x with LTO optimization, so let's disable it to be safe
%description
GNU SASL is an implementation of the Simple Authentication and
Security Layer framework and a few common SASL mechanisms. SASL is
used by network servers (e.g., IMAP, SMTP) to request authentication
from clients, and in clients to authenticate against servers.
%package -n libgsasl7
Summary: Implementation of the SASL framework and a few common SASL mechanisms
# Needed to make lang package installable
Group: Development/Libraries/C and C++
Provides: %{name} = %{version}
%description -n libgsasl7
GNU SASL is an implementation of the Simple Authentication and
Security Layer framework and a few common SASL mechanisms. SASL is
used by network servers (e.g., IMAP, SMTP) to request authentication
from clients, and in clients to authenticate against servers.
%package devel
Summary: Implementation of the SASL framework and a few common SASL mechanisms
Group: Development/Libraries/C and C++
Requires: libgsasl7 = %{version}
Requires: pkgconfig(krb5-gssapi)
Requires: pkgconfig(libgcrypt)
Requires: pkgconfig(libidn)
Requires: pkgconfig(libntlm)
%description devel
GNU SASL is an implementation of the Simple Authentication and
Security Layer framework and a few common SASL mechanisms. SASL is
used by network servers (e.g., IMAP, SMTP) to request authentication
from clients, and in clients to authenticate against servers.
%lang_package
%prep
%setup -q
%patch1 -p1
%patch2 -p2
%patch3 -p1
%patch4 -p1
%build
%configure \
--disable-static \
--with-pic \
--with-gssapi-impl=mit \
--enable-gcc-warnings \
#
%make_build
%install
%make_install
%find_lang %{name}
find %{buildroot} -type f -name "*.la" -delete -print
%check
%make_build check
%post -n libgsasl7 -p /sbin/ldconfig
%postun -n libgsasl7 -p /sbin/ldconfig
%files -n libgsasl7
%license COPYING*
%doc AUTHORS NEWS README THANKS
%{_libdir}/*.so.*
%files devel
%{_includedir}/gsas*.h
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%files lang -f %{name}.lang
%changelog

132
uninitialized_x.patch Normal file
View File

@ -0,0 +1,132 @@
Fixes this warning
make[2]: Entering directory '/home/abuild/rpmbuild/BUILD/libgsasl-1.10.0/digest-md5'
/usr/bin/bash ../libtool --tag=CC --mode=link gcc -Werror -fanalyzer -fno-common -Wall -Warith-conversion -Wbad-function-cast -Wcast-align=strict -Wdate-time -Wdisabled-optimization -Wdouble-promotion -Wduplicated-branches -Wduplicated-cond -Wextra -Wformat-signedness -Winit-self -Winline -Winvalid-pch -Wlogical-op -Wmissing-declarations -Wmissing-include-dirs -Wmissing-prototypes -Wnested-externs -Wnull-dereference -Wold-style-definition -Wopenmp-simd -Woverlength-strings -Wpacked -Wpointer-arith -Wshadow -Wstack-protector -Wstrict-overflow -Wstrict-prototypes -Wsuggest-attribute=cold -Wsuggest-attribute=format -Wsuggest-attribute=malloc -Wsuggest-attribute=noreturn -Wsuggest-final-methods -Wsuggest-final-types -Wsync-nand -Wtrampolines -Wuninitialized -Wunknown-pragmas -Wunsafe-loop-optimizations -Wunused-macros -Wvariadic-macros -Wvector-operation-performance -Wvla -Wwrite-strings -Warray-bounds=2 -Wattribute-alias=2 -Wformat-overflow=2 -Wformat=2 -Wformat-truncation=2 -Wimplicit-fallthrough=5 -Wshift-overflow=2 -Wunused-const-variable=2 -Wvla-larger-than=4031 -Wno-analyzer-double-free -Wno-analyzer-malloc-leak -Wno-analyzer-null-dereference -Wno-analyzer-use-after-free -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -flto=auto -o test-parser test_parser-test-parser.o libgsasl-digest_md5.la ../gl/libgl.la
libtool: link: gcc -Werror -fanalyzer -fno-common -Wall -Warith-conversion -Wbad-function-cast -Wcast-align=strict -Wdate-time -Wdisabled-optimization -Wdouble-promotion -Wduplicated-branches -Wduplicated-cond -Wextra -Wformat-signedness -Winit-self -Winline -Winvalid-pch -Wlogical-op -Wmissing-declarations -Wmissing-include-dirs -Wmissing-prototypes -Wnested-externs -Wnull-dereference -Wold-style-definition -Wopenmp-simd -Woverlength-strings -Wpacked -Wpointer-arith -Wshadow -Wstack-protector -Wstrict-overflow -Wstrict-prototypes -Wsuggest-attribute=cold -Wsuggest-attribute=format -Wsuggest-attribute=malloc -Wsuggest-attribute=noreturn -Wsuggest-final-methods -Wsuggest-final-types -Wsync-nand -Wtrampolines -Wuninitialized -Wunknown-pragmas -Wunsafe-loop-optimizations -Wunused-macros -Wvariadic-macros -Wvector-operation-performance -Wvla -Wwrite-strings -Warray-bounds=2 -Wattribute-alias=2 -Wformat-overflow=2 -Wformat=2 -Wformat-truncation=2 -Wimplicit-fallthrough=5 -Wshift-overflow=2 -Wunused-const-variable=2 -Wvla-larger-than=4031 -Wno-analyzer-double-free -Wno-analyzer-malloc-leak -Wno-analyzer-null-dereference -Wno-analyzer-use-after-free -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -flto=auto -o test-parser test_parser-test-parser.o ./.libs/libgsasl-digest_md5.a ../gl/.libs/libgl.a -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
../gl/sha256.c: In function 'sha256_process_block':
../gl/sha256.c:462:7: error: use of uninitialized value 'x[1]' [CWE-457] [-Werror=analyzer-use-of-uninitialized-value]
462 | R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
| ^
'hmac_sha256': events 1-2
|
|../gl/hmac.c:59:1:
| 59 | GL_HMAC_FN (const void *key, size_t keylen,
| | ^
| | |
| | (1) entry to 'hmac_sha256'
|......
| 81 | hmac_hash (key, keylen, in, inlen, IPAD, innerhash);
| | ~
| | |
| | (2) calling 'hmac_hash' from 'hmac_sha256'
|
+--> 'hmac_hash': events 3-4
|
| 42 | hmac_hash (const void *key, size_t keylen,
| | ^
| | |
| | (3) entry to 'hmac_hash'
|......
| 50 | memxor (block, key, keylen);
| | ~
| | |
| | (4) calling 'memxor' from 'hmac_hash'
|
+--> 'memxor': events 5-9
|
|../gl/memxor.c:25:1:
| 25 | memxor (void *restrict dest, const void *restrict src, size_t n)
| | ^
| | |
| | (5) entry to 'memxor'
|......
| 30 | for (; n > 0; n--)
| | ~
| | |
| | (6) following 'true' branch (when 'n_3 != 0')...
| | (8) following 'false' branch (when 'n_3 == 0')...
| 31 | *d++ ^= *s++;
| | ~
| | |
| | (7) ...to here
| 32 |
| 33 | return dest;
| | ~
| | |
| | (9) ...to here
|
<------+
|
'hmac_hash': events 10-11
|
|../gl/hmac.c:50:3:
| 50 | memxor (block, key, keylen);
| | ^
| | |
| | (10) returning to 'hmac_hash' from 'memxor'
|......
| 53 | GL_HMAC_FN_BLOC (block, sizeof block, &hmac_ctx);
| | ~
| | |
| | (11) calling 'sha256_process_block' from 'hmac_hash'
|
+--> 'sha256_process_block': events 12-14
|
|../gl/sha256.c:409:1:
| 409 | sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
| | ^
| | |
| | (12) entry to 'sha256_process_block'
|......
| 414 | uint32_t x[16];
| | ~
| | |
| | (13) region created on stack here
|......
| 449 | while (words < endp)
| | ~
| | |
| | (14) following 'true' branch (when 'words_1902 < endp_1916')...
|
'sha256_process_block': event 15
|
|lto1:
| (15): ...to here
|
'sha256_process_block': events 16-20
|
| 455 | for (t = 0; t < 16; t++)
| | ^
| | |
| | (16) following 'true' branch (when 't_1911 != 16')...
| | (18) following 'false' branch (when 't_1911 == 16')...
| 456 | {
| 457 | x[t] = SWAP (*words);
| | ~
| | |
| | (17) ...to here
|......
| 461 | R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
| | ~
| | |
| | (19) ...to here
| 462 | R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
| | ~
| | |
| | (20) use of uninitialized value 'x[1]' here
|
lto1: all warnings being treated as errors
Index: libgsasl-1.10.0/gl/sha256.c
===================================================================
--- libgsasl-1.10.0.orig/gl/sha256.c
+++ libgsasl-1.10.0/gl/sha256.c
@@ -446,6 +446,8 @@ sha256_process_block (const void *buffer
D += t1; H = t0 + t1; \
} while(0)
+ memset(x, 0, sizeof(x));
+
while (words < endp)
{
uint32_t tm;