backport patches to fix bugs and CVE-2024-37370 CVE-2024-37371

Signed-off-by: xuraoqing <xuraoqing@huawei.com>

backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch

@@ -0,0 +1,536 @@
+From b0a2f8a5365f2eec3e27d78907de9f9d2c80505a Mon Sep 17 00:00:00 2001                 
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 14 Jun 2024 10:56:12 -0400
+Subject: [PATCH] Fix vulnerabilities in GSS message token handling
+
+In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
+verify the Extra Count field of CFX wrap tokens against the encrypted
+header.  Reported by Jacob Champion.
+
+In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
+length too short to contain the encrypted header and extra count
+bytes.  Reported by Jacob Champion.
+
+In kg_unseal_iov_token(), separately track the header IOV length and
+complete token length when parsing the token's ASN.1 wrapper.  This
+fix contains modified versions of functions from k5-der.h and
+util_token.c; this duplication will be cleaned up in a future commit.
+
+CVE-2024-37370:
+
+In MIT krb5 release 1.3 and later, an attacker can modify the
+plaintext Extra Count field of a confidential GSS krb5 wrap token,
+causing the unwrapped token to appear truncated to the application.
+
+CVE-2024-37371:
+
+In MIT krb5 release 1.3 and later, an attacker can cause invalid
+memory reads by sending message tokens with invalid length fields.
+
+ticket: 9128 (new)
+tags: pullup
+target_version: 1.21-next
+
+Reference: https://github.com/krb5/krb5/commit/b0a2f8a5365f2eec3e27d78907de9f9d2c80505a
+Conflict: src/tests/gssapi/t_invalid.c
+
+---
+ src/lib/gssapi/krb5/k5sealv3.c    |   5 +
+ src/lib/gssapi/krb5/k5sealv3iov.c |   3 +-
+ src/lib/gssapi/krb5/k5unsealiov.c |  80 +++++++++-
+ src/tests/gssapi/t_invalid.c      | 233 +++++++++++++++++++++++++-----
+ 4 files changed, 275 insertions(+), 46 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
+index e881eee..d3210c1 100644
+--- a/src/lib/gssapi/krb5/k5sealv3.c
++++ b/src/lib/gssapi/krb5/k5sealv3.c
+@@ -400,10 +400,15 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
+             /* Don't use bodysize here!  Use the fact that
+                cipher.ciphertext.length has been adjusted to the
+                correct length.  */
++            if (plain.length < 16 + ec) {
++                free(plain.data);
++                goto defective;
++            }
+             althdr = (unsigned char *)plain.data + plain.length - 16;
+             if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
+                 || althdr[2] != ptr[2]
+                 || althdr[3] != ptr[3]
++                || load_16_be(althdr+4) != ec
+                 || memcmp(althdr+8, ptr+8, 8)) {
+                 free(plain.data);
+                 goto defective;
+diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c
+index 333ee12..f8e90c3 100644
+--- a/src/lib/gssapi/krb5/k5sealv3iov.c
++++ b/src/lib/gssapi/krb5/k5sealv3iov.c
+@@ -402,9 +402,10 @@ gss_krb5int_unseal_v3_iov(krb5_context context,
+             if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
+                 || althdr[2] != ptr[2]
+                 || althdr[3] != ptr[3]
++                || load_16_be(althdr + 4) != ec
+                 || memcmp(althdr + 8, ptr + 8, 8) != 0) {
+                 *minor_status = 0;
+-                return GSS_S_BAD_SIG;
++                return GSS_S_DEFECTIVE_TOKEN;
+             }
+         } else {
+             /* Verify checksum: note EC is checksum size here, not padding */
+diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
+index 3ce2a90..6a6585d 100644
+--- a/src/lib/gssapi/krb5/k5unsealiov.c
++++ b/src/lib/gssapi/krb5/k5unsealiov.c
+@@ -25,6 +25,7 @@
+  */
+ 
+ #include "k5-int.h"
++#include "k5-der.h"
+ #include "gssapiP_krb5.h"
+ 
+ static OM_uint32
+@@ -247,6 +248,73 @@ cleanup:
+     return retval;
+ }
+ 
++/* Similar to k5_der_get_value(), but output an unchecked content length
++ * instead of a k5input containing the contents. */
++static inline bool
++get_der_tag(struct k5input *in, uint8_t idbyte, size_t *len_out)
++{
++    uint8_t lenbyte, i;
++    size_t len;
++
++    /* Do nothing if in is empty or the next byte doesn't match idbyte. */
++    if (in->status || in->len == 0 || *in->ptr != idbyte)
++        return false;
++
++    /* Advance past the identifier byte and decode the length. */
++    (void)k5_input_get_byte(in);
++    lenbyte = k5_input_get_byte(in);
++    if (lenbyte < 128) {
++        len = lenbyte;
++    } else {
++        len = 0;
++        for (i = 0; i < (lenbyte & 0x7F); i++) {
++            if (len > (SIZE_MAX >> 8)) {
++                k5_input_set_status(in, EOVERFLOW);
++                return false;
++            }
++            len = (len << 8) | k5_input_get_byte(in);
++        }
++    }
++
++    if (in->status)
++        return false;
++
++    *len_out = len;
++    return true;
++}
++
++/*
++ * Similar to g_verify_token_header() without toktype or flags, but do not read
++ * more than *header_len bytes of ASN.1 wrapper, and on output set *header_len
++ * to the remaining number of header bytes.  Verify the outer DER tag's length
++ * against token_len, which may be larger (but not smaller) than *header_len.
++ */
++static gss_int32
++verify_detached_wrapper(const gss_OID_desc *mech, size_t *header_len,
++                        uint8_t **header_in, size_t token_len)
++{
++    struct k5input in, mech_der;
++    gss_OID_desc toid;
++    size_t len;
++
++    k5_input_init(&in, *header_in, *header_len);
++
++    if (get_der_tag(&in, 0x60, &len)) {
++        if (len != token_len - (in.ptr - *header_in))
++            return G_BAD_TOK_HEADER;
++        if (!k5_der_get_value(&in, 0x06, &mech_der))
++            return G_BAD_TOK_HEADER;
++        toid.elements = (uint8_t *)mech_der.ptr;
++        toid.length = mech_der.len;
++        if (!g_OID_equal(&toid, mech))
++            return G_WRONG_MECH;
++    }
++
++    *header_in = (uint8_t *)in.ptr;
++    *header_len = in.len;
++    return 0;
++}
++
+ /*
+  * Caller must provide TOKEN | DATA | PADDING | TRAILER, except
+  * for DCE in which case it can just provide TOKEN | DATA (must
+@@ -267,8 +335,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
+     gss_iov_buffer_t header;
+     gss_iov_buffer_t padding;
+     gss_iov_buffer_t trailer;
+-    size_t input_length;
+-    unsigned int bodysize;
++    size_t input_length, hlen;
+     int toktype2;
+ 
+     header = kg_locate_header_iov(iov, iov_count, toktype);
+@@ -298,15 +365,14 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
+             input_length += trailer->buffer.length;
+     }
+ 
+-    code = g_verify_token_header(ctx->mech_used,
+-                                 &bodysize, &ptr, -1,
+-                                 input_length, 0);
++    hlen = header->buffer.length;
++    code = verify_detached_wrapper(ctx->mech_used, &hlen, &ptr, input_length);
+     if (code != 0) {
+         *minor_status = code;
+         return GSS_S_DEFECTIVE_TOKEN;
+     }
+ 
+-    if (bodysize < 2) {
++    if (hlen < 2) {
+         *minor_status = (OM_uint32)G_BAD_TOK_HEADER;
+         return GSS_S_DEFECTIVE_TOKEN;
+     }
+@@ -314,7 +380,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
+     toktype2 = load_16_be(ptr);
+ 
+     ptr += 2;
+-    bodysize -= 2;
++    hlen -= 2;
+ 
+     switch (toktype2) {
+     case KG2_TOK_MIC_MSG:
+diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
+index fb8fe55..d1f019f 100644
+--- a/src/tests/gssapi/t_invalid.c
++++ b/src/tests/gssapi/t_invalid.c
+@@ -36,31 +36,41 @@
+  *
+  * 1. A pre-CFX wrap or MIC token processed with a CFX-only context causes a
+  *    null pointer dereference.  (The token must use SEAL_ALG_NONE or it will
+- *    be rejected.)
++ *    be rejected.)  This vulnerability also applies to IOV unwrap.
+  *
+- * 2. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1
++ * 2. A CFX wrap token with a different value of EC between the plaintext and
++ *    encrypted copies will be erroneously accepted, which allows a message
++ *    truncation attack.  This vulnerability also applies to IOV unwrap.
++ *
++ * 3. A CFX wrap token with a plaintext length fewer than 16 bytes causes an
++ *    access before the beginning of the input buffer, possibly leading to a
++ *    crash.
++ *
++ * 4. A CFX wrap token with a plaintext EC value greater than the plaintext
++ *    length - 16 causes an integer underflow when computing the result length,
++ *    likely causing a crash.
++ *
++ * 5. An IOV unwrap operation will overrun the header buffer if an ASN.1
++ *    wrapper longer than the header buffer is present.
++ *
++ * 6. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1
+  *    header causes an input buffer overrun, usually leading to either a segv
+  *    or a GSS_S_DEFECTIVE_TOKEN error due to garbage algorithm, filler, or
+- *    sequence number values.
++ *    sequence number values.  This vulnerability also applies to IOV unwrap.
+  *
+- * 3. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1
++ * 7. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1
+  *    header causes an integer underflow when computing the ciphertext length,
+  *    leading to an allocation error on 32-bit platforms or a segv on 64-bit
+  *    platforms.  A pre-CFX MIC token of this size causes an input buffer
+  *    overrun when comparing the checksum, perhaps leading to a segv.
+  *
+- * 4. A pre-CFX wrap token with fewer than conflen + padlen bytes in the
++ * 8. A pre-CFX wrap token with fewer than conflen + padlen bytes in the
+  *    ciphertext (where padlen is the last byte of the decrypted ciphertext)
+  *    causes an integer underflow when computing the original message length,
+  *    leading to an allocation error.
+  *
+- * 5. In the mechglue, truncated encapsulation in the initial context token can
++ * 9. In the mechglue, truncated encapsulation in the initial context token can
+  *    cause input buffer overruns in gss_accept_sec_context().
+- *
+- * Vulnerabilities #1 and #2 also apply to IOV unwrap, although tokens with
+- * fewer than 16 bytes after the ASN.1 header will be rejected.
+- * Vulnerabilities #2 and #5 can only be robustly detected using a
+- * memory-checking environment such as valgrind.
+  */
+ 
+ #include "k5-int.h"
+@@ -98,16 +108,24 @@ struct test {
+ };
+ 
+ /* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key. */
++static void *
++ealloc(size_t len)
++{
++    void *ptr = calloc(len, 1);
++
++    if (ptr == NULL)
++        abort();
++    return ptr;
++}
++
++/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key.
++ * The context takes ownership of subkey. */
+ static gss_ctx_id_t
+-make_fake_cfx_context()
++make_fake_cfx_context(krb5_key subkey)
+ {
+     gss_union_ctx_id_t uctx;
+     krb5_gss_ctx_id_t kgctx;
+-    krb5_keyblock kb;
+-
+-    kgctx = calloc(1, sizeof(*kgctx));
+-    if (kgctx == NULL)
+-        abort();
++    kgctx = ealloc(sizeof(*kgctx));
+     kgctx->established = 1;
+     kgctx->proto = 1;
+     if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0)
+@@ -116,15 +134,10 @@ make_fake_cfx_context()
+     kgctx->sealalg = -1;
+     kgctx->signalg = -1;
+ 
+-    kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+-    kb.length = 16;
+-    kb.contents = (unsigned char *)"1234567887654321";
+-    if (krb5_k_create_key(NULL, &kb, &kgctx->subkey) != 0)
+-        abort();
++    kgctx->subkey = subkey;
++    kgctx->cksumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
+ 
+-    uctx = calloc(1, sizeof(*uctx));
+-    if (uctx == NULL)
+-        abort();
++    uctx = ealloc(sizeof(*uctx));
+     uctx->mech_type = &mech_krb5;
+     uctx->internal_ctx_id = (gss_ctx_id_t)kgctx;
+     return (gss_ctx_id_t)uctx;
+@@ -138,9 +151,7 @@ make_fake_context(const struct test *test)
+     krb5_gss_ctx_id_t kgctx;
+     krb5_keyblock kb;
+ 
+-    kgctx = calloc(1, sizeof(*kgctx));
+-    if (kgctx == NULL)
+-        abort();
++    kgctx = ealloc(sizeof(*kgctx));
+     kgctx->established = 1;
+     if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0)
+         abort();
+@@ -162,9 +173,7 @@ make_fake_context(const struct test *test)
+     if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0)
+         abort();
+ 
+-    uctx = calloc(1, sizeof(*uctx));
+-    if (uctx == NULL)
+-        abort();
++    uctx = ealloc(sizeof(*uctx));
+     uctx->mech_type = &mech_krb5;
+     uctx->internal_ctx_id = (gss_ctx_id_t)kgctx;
+     return (gss_ctx_id_t)uctx;
+@@ -194,9 +203,7 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out)
+ 
+     assert(mech_krb5.length == 9);
+     assert(len + 11 < 128);
+-    wrapped = malloc(len + 13);
+-    if (wrapped == NULL)
+-        abort();
++    wrapped = ealloc(len + 13);
+     wrapped[0] = 0x60;
+     wrapped[1] = len + 11;
+     wrapped[2] = 0x06;
+@@ -207,6 +214,18 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out)
+     out->value = wrapped;
+ }
+ 
++/* Create a 16-byte header for a CFX confidential wrap token to be processed by
++ * the fake CFX context. */
++static void
++write_cfx_header(uint16_t ec, uint8_t *out)
++{
++    memset(out, 0, 16);
++    store_16_be(KG2_TOK_WRAP_MSG, out);
++    out[2] = FLAG_WRAP_CONFIDENTIAL;
++    out[3] = 0xFF;
++    store_16_be(ec, out + 4);
++}
++
+ /* Unwrap a superficially valid RFC 1964 token with a CFX-only context, with
+  * regular and IOV unwrap. */
+ static void
+@@ -238,6 +257,134 @@ test_bogus_1964_token(gss_ctx_id_t ctx)
+     free(in.value);
+ }
+ 
++static void
++test_cfx_altered_ec(gss_ctx_id_t ctx, krb5_key subkey)
++{
++    OM_uint32 major, minor;
++    uint8_t tokbuf[128], plainbuf[24];
++    krb5_data plain;
++    krb5_enc_data cipher;
++    gss_buffer_desc in, out;
++    gss_iov_buffer_desc iov[2];
++
++    /* Construct a header with a plaintext EC value of 3. */
++    write_cfx_header(3, tokbuf);
++
++    /* Encrypt a plaintext and a copy of the header with the EC value 0. */
++    memcpy(plainbuf, "truncate", 8);
++    memcpy(plainbuf + 8, tokbuf, 16);
++    store_16_be(0, plainbuf + 12);
++    plain = make_data(plainbuf, 24);
++    cipher.ciphertext.data = (char *)tokbuf + 16;
++    cipher.ciphertext.length = sizeof(tokbuf) - 16;
++    cipher.enctype = subkey->keyblock.enctype;
++    if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
++                       &plain, &cipher) != 0)
++        abort();
++
++    /* Verify that the token is rejected by gss_unwrap(). */
++    in.value = tokbuf;
++    in.length = 16 + cipher.ciphertext.length;
++    major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
++    if (major != GSS_S_DEFECTIVE_TOKEN)
++        abort();
++    (void)gss_release_buffer(&minor, &out);
++
++    /* Verify that the token is rejected by gss_unwrap_iov(). */
++    iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
++    iov[0].buffer = in;
++    iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
++    major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
++    if (major != GSS_S_DEFECTIVE_TOKEN)
++        abort();
++}
++
++static void
++test_cfx_short_plaintext(gss_ctx_id_t ctx, krb5_key subkey)
++{
++    OM_uint32 major, minor;
++    uint8_t tokbuf[128], zerobyte = 0;
++    krb5_data plain;
++    krb5_enc_data cipher;
++    gss_buffer_desc in, out;
++
++    write_cfx_header(0, tokbuf);
++
++    /* Encrypt a single byte, with no copy of the header. */
++    plain = make_data(&zerobyte, 1);
++    cipher.ciphertext.data = (char *)tokbuf + 16;
++    cipher.ciphertext.length = sizeof(tokbuf) - 16;
++    cipher.enctype = subkey->keyblock.enctype;
++    if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
++                       &plain, &cipher) != 0)
++        abort();
++
++    /* Verify that the token is rejected by gss_unwrap(). */
++    in.value = tokbuf;
++    in.length = 16 + cipher.ciphertext.length;
++    major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
++    if (major != GSS_S_DEFECTIVE_TOKEN)
++        abort();
++    (void)gss_release_buffer(&minor, &out);
++}
++
++static void
++test_cfx_large_ec(gss_ctx_id_t ctx, krb5_key subkey)
++{
++    OM_uint32 major, minor;
++    uint8_t tokbuf[128] = { 0 }, plainbuf[20];
++    krb5_data plain;
++    krb5_enc_data cipher;
++    gss_buffer_desc in, out;
++
++    /* Construct a header with an EC value of 5. */
++    write_cfx_header(5, tokbuf);
++
++    /* Encrypt a 4-byte plaintext plus the header. */
++    memcpy(plainbuf, "abcd", 4);
++    memcpy(plainbuf + 4, tokbuf, 16);
++    plain = make_data(plainbuf, 20);
++    cipher.ciphertext.data = (char *)tokbuf + 16;
++    cipher.ciphertext.length = sizeof(tokbuf) - 16;
++    cipher.enctype = subkey->keyblock.enctype;
++    if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
++                       &plain, &cipher) != 0)
++        abort();
++
++    /* Verify that the token is rejected by gss_unwrap(). */
++    in.value = tokbuf;
++    in.length = 16 + cipher.ciphertext.length;
++    major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
++    if (major != GSS_S_DEFECTIVE_TOKEN)
++        abort();
++    (void)gss_release_buffer(&minor, &out);
++}
++
++static void
++test_iov_large_asn1_wrapper(gss_ctx_id_t ctx)
++{
++    OM_uint32 minor, major;
++    uint8_t databuf[10] = { 0 };
++    gss_iov_buffer_desc iov[2];
++
++    /*
++     * In this IOV array, the header contains a DER tag with a dangling eight
++     * bytes of length field.  The data IOV indicates a total token length
++     * sufficient to contain the length bytes.
++     */
++    iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
++    iov[0].buffer.value = ealloc(2);
++    iov[0].buffer.length = 2;
++    memcpy(iov[0].buffer.value, "\x60\x88", 2);
++    iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
++    iov[1].buffer.value = databuf;
++    iov[1].buffer.length = 10;
++    major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
++    if (major != GSS_S_DEFECTIVE_TOKEN)
++        abort();
++    free(iov[0].buffer.value);
++}
++
+ /* Process wrap and MIC tokens with incomplete headers. */
+ static void
+ test_short_header(gss_ctx_id_t ctx)
+@@ -387,9 +534,7 @@ try_accept(void *value, size_t len)
+     gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
+ 
+     /* Copy the provided value to make input overruns more obvious. */
+-    in.value = malloc(len);
+-    if (in.value == NULL)
+-        abort();
++    in.value = ealloc(len);
+     memcpy(in.value, value, len);
+     in.length = len;
+     (void)gss_accept_sec_context(&minor, &ctx, GSS_C_NO_CREDENTIAL, &in,
+@@ -424,11 +569,23 @@ test_short_encapsulation()
+ int
+ main(int argc, char **argv)
+ {
++    krb5_keyblock kb;
++    krb5_key cfx_subkey;
+     gss_ctx_id_t ctx;
+     size_t i;
+ 
+-    ctx = make_fake_cfx_context();
++    kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
++    kb.length = 16;
++    kb.contents = (unsigned char *)"1234567887654321";
++    if (krb5_k_create_key(NULL, &kb, &cfx_subkey) != 0)
++        abort();
++
++    ctx = make_fake_cfx_context(cfx_subkey);
+     test_bogus_1964_token(ctx);
++    test_cfx_altered_ec(ctx, cfx_subkey);
++    test_cfx_short_plaintext(ctx, cfx_subkey);
++    test_cfx_large_ec(ctx, cfx_subkey);
++    test_iov_large_asn1_wrapper(ctx);
+     free_fake_context(ctx);
+ 
+     for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
+-- 
+2.33.0
+

backport-Fix-Python-regexp-literals.patch

@@ -0,0 +1,44 @@
+From 4b21b2e2821d3cb91042be09e0ebe09707a57d72 Mon Sep 17 00:00:00 2001                 
+From: Arjun <pkillarjun@protonmail.com>
+Date: Thu, 9 May 2024 20:47:08 +0530
+Subject: [PATCH] Fix Python regexp literals
+
+Add missing "r" prefixes before literals using regexp escape
+sequences.
+
+[ghudson@mit.edu: split into separate commit; rewrote commit message]
+
+Reference: https://github.com/krb5/krb5/commit/4b21b2e2821d3cb91042be09e0ebe09707a57d72
+Conflict: NA
+
+---
+ src/util/cstyle-file.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/util/cstyle-file.py b/src/util/cstyle-file.py
+index 837fa05..56b1e32 100644
+--- a/src/util/cstyle-file.py
++++ b/src/util/cstyle-file.py
+@@ -208,7 +208,7 @@ def check_assignment_in_conditional(line, ln):
+ 
+ 
+ def indent(line):
+-    return len(re.match('\s*', line).group(0).expandtabs())
++    return len(re.match(r'\s*', line).group(0).expandtabs())
+ 
+ 
+ def check_unbraced_flow_body(line, ln, lines):
+@@ -220,8 +220,8 @@ def check_unbraced_flow_body(line, ln, lines):
+     if m and (m.group(1) is None) != (m.group(3) is None):
+         warn(ln, 'One arm of if/else statement braced but not the other')
+ 
+-    if (re.match('\s*(if|else if|for|while)\s*\(.*\)$', line) or
+-        re.match('\s*else$', line)):
++    if (re.match(r'\s*(if|else if|for|while)\s*\(.*\)$', line) or
++        re.match(r'\s*else$', line)):
+         base = indent(line)
+         # Look at the next two lines (ln is 1-based so lines[ln] is next).
+         if indent(lines[ln]) > base and indent(lines[ln + 1]) > base:
+-- 
+2.33.0
+

backport-Fix-more-non-prototype-functions.patch

@@ -0,0 +1,857 @@
+From 623d649ba852839ba4822934bad9f97c184bf3ab Mon Sep 17 00:00:00 2001
+From: Arjun <pkillarjun@protonmail.com>
+Date: Thu, 9 May 2024 20:47:08 +0530
+Subject: [PATCH] Fix more non-prototype functions
+
+Add "void" designations to more function declarations and definitions
+not changed by commits 3ae9244cd021a75eba909d872a92c25db490714d and
+4b9d7f7c107f01a61600fddcd8cde3812d0366a2.
+
+[ghudson@mit.edu: change additional functions; split into two commits;
+rewrote commit message]
+
+Reference:https://github.com/krb5/krb5/commit/623d649ba852839ba4822934bad9f97c184bf3ab
+Conflict: src/lib/crypto/crypto_tests/vectors.c
+
+---
+ src/ccapi/common/win/OldCC/ccutils.c          |  2 +-
+ src/ccapi/common/win/OldCC/ccutils.h          |  2 +-
+ src/ccapi/common/win/OldCC/util.h             |  2 +-
+ src/ccapi/common/win/win-utils.c              |  2 +-
+ src/ccapi/common/win/win-utils.h              |  4 +-
+ src/ccapi/lib/ccapi_context.h                 |  2 +-
+ src/ccapi/lib/win/dllmain.h                   |  2 +-
+ src/ccapi/server/ccs_server.c                 |  2 +-
+ src/ccapi/server/ccs_server.h                 |  2 +-
+ src/ccapi/server/win/WorkQueue.h              |  8 +--
+ src/ccapi/test/pingtest.c                     |  2 +-
+ src/include/gssrpc/netdb.h                    |  4 +-
+ src/include/port-sockets.h                    |  2 +-
+ src/kadmin/cli/getdate.y                      |  2 +-
+ src/kadmin/dbutil/kdb5_util.c                 |  2 +-
+ src/kprop/kprop.c                             |  2 +-
+ src/lib/crypto/crypto_tests/t_pkcs5.c         |  4 +-
+ src/lib/crypto/crypto_tests/vectors.c         |  8 +--
+ src/lib/gssapi/generic/maptest.c              |  2 +-
+ src/lib/krb5/ccache/ccapi/stdcc.c             |  6 +-
+ src/lib/krb5/ccache/ccapi/winccld.c           |  9 ++-
+ src/lib/krb5/ccache/ccbase.c                  |  2 +-
+ src/lib/krb5/krb/bld_princ.c                  |  4 +-
+ src/lib/krb5/krb/conv_creds.c                 |  2 +-
+ src/lib/krb5/krb/init_ctx.c                   |  2 +-
+ src/lib/krb5/os/dnsglue.c                     |  4 +-
+ src/lib/krb5/os/localaddr.c                   |  6 +-
+ src/lib/rpc/getrpcent.c                       |  6 +-
+ src/lib/win_glue.c                            |  8 +--
+ src/plugins/kdb/db2/kdb_db2.c                 |  4 +-
+ src/plugins/kdb/db2/libdb2/hash/dbm.c         |  2 +-
+ .../kdb/ldap/libkdb_ldap/kdb_ldap_conn.c      |  4 +-
+ src/tests/threads/gss-perf.c                  |  4 +-
+ src/tests/threads/init_ctx.c                  |  2 +-
+ src/tests/threads/profread.c                  |  2 +-
+ src/tests/threads/t_rcache.c                  |  2 +-
+ src/util/et/com_err.c                         |  4 +-
+ src/util/et/error_message.c                   |  2 +-
+ src/util/profile/prof_file.c                  |  4 +-
+ src/util/support/secure_getenv.c              |  2 +-
+ src/windows/include/leashwin.h                | 60 +++++++++----------
+ 41 files changed, 99 insertions(+), 98 deletions(-)
+
+diff --git a/src/ccapi/common/win/OldCC/ccutils.c b/src/ccapi/common/win/OldCC/ccutils.c
+index 403c67e..7abaefa 100644
+--- a/src/ccapi/common/win/OldCC/ccutils.c
++++ b/src/ccapi/common/win/OldCC/ccutils.c
+@@ -30,7 +30,7 @@
+ #include "cci_debugging.h"
+ #include "util.h"
+ 
+-BOOL isNT() {
++BOOL isNT(void) {
+     OSVERSIONINFO osvi;
+     DWORD   status              = 0;
+     BOOL    bSupportedVersion   = FALSE;
+diff --git a/src/ccapi/common/win/OldCC/ccutils.h b/src/ccapi/common/win/OldCC/ccutils.h
+index 9da3d87..0fb7e14 100644
+--- a/src/ccapi/common/win/OldCC/ccutils.h
++++ b/src/ccapi/common/win/OldCC/ccutils.h
+@@ -33,7 +33,7 @@ extern "C" {
+ #define REPLY_SUFFIX    (char*)"reply"
+ #define LISTEN_SUFFIX   (char*)"listen"
+ 
+-BOOL    isNT();
++BOOL    isNT(void);
+ char*   allocEventName   (char* uuid, char* suffix);
+ HANDLE  createThreadEvent(char* uuid, char* suffix);
+ HANDLE  openThreadEvent  (char* uuid, char* suffix);
+diff --git a/src/ccapi/common/win/OldCC/util.h b/src/ccapi/common/win/OldCC/util.h
+index 45e069a..7ee5319 100644
+--- a/src/ccapi/common/win/OldCC/util.h
++++ b/src/ccapi/common/win/OldCC/util.h
+@@ -30,7 +30,7 @@
+ extern "C" {
+ #endif
+ 
+-BOOL isNT();
++BOOL isNT(void);
+ 
+ void*
+ user_allocate(
+diff --git a/src/ccapi/common/win/win-utils.c b/src/ccapi/common/win/win-utils.c
+index b49cca8..d9018a6 100644
+--- a/src/ccapi/common/win/win-utils.c
++++ b/src/ccapi/common/win/win-utils.c
+@@ -60,7 +60,7 @@ char* serverEndpoint(const char* user) {
+     return _serverEndpoint;
+     }
+ 
+-char* timestamp() {
++char* timestamp(void) {
+     SYSTEMTIME  _stime;
+     GetSystemTime(&_stime);
+     GetTimeFormat(LOCALE_SYSTEM_DEFAULT, 0, &_stime, "HH:mm:ss", _ts, sizeof(_ts)-1);
+diff --git a/src/ccapi/common/win/win-utils.h b/src/ccapi/common/win/win-utils.h
+index 41cab24..94d0a9f 100644
+--- a/src/ccapi/common/win/win-utils.h
++++ b/src/ccapi/common/win/win-utils.h
+@@ -50,6 +50,6 @@ char*                   clientEndpoint(const char* UUID);
+ char*                   serverEndpoint(const char* UUID);
+ extern unsigned char*   pszProtocolSequence;
+ 
+-char* timestamp();
++char* timestamp(void);
+ 
+-#endif // _win_utils_h
+\ No newline at end of file
++#endif // _win_utils_h
+diff --git a/src/ccapi/lib/ccapi_context.h b/src/ccapi/lib/ccapi_context.h
+index 51b8982..88f0ee8 100644
+--- a/src/ccapi/lib/ccapi_context.h
++++ b/src/ccapi/lib/ccapi_context.h
+@@ -79,7 +79,7 @@ cc_int32 ccapi_context_compare (cc_context_t  in_context,
+                                 cc_uint32    *out_equal);
+ 
+ #ifdef WIN32
+-void cci_thread_init__auxinit();
++void cci_thread_init__auxinit(void);
+ #endif
+ 
+ 
+diff --git a/src/ccapi/lib/win/dllmain.h b/src/ccapi/lib/win/dllmain.h
+index 8238566..28ca34e 100644
+--- a/src/ccapi/lib/win/dllmain.h
++++ b/src/ccapi/lib/win/dllmain.h
+@@ -32,7 +32,7 @@
+ extern "C" {          // we need to export the C interface
+ #endif
+ 
+-DWORD GetTlsIndex();
++DWORD GetTlsIndex(void);
+ 
+ #ifdef __cplusplus
+ }
+diff --git a/src/ccapi/server/ccs_server.c b/src/ccapi/server/ccs_server.c
+index 1fc8d2c..de74b71 100644
+--- a/src/ccapi/server/ccs_server.c
++++ b/src/ccapi/server/ccs_server.c
+@@ -402,7 +402,7 @@ cc_int32 ccs_server_send_reply (ccs_pipe_t     in_reply_pipe,
+ 
+ /* ------------------------------------------------------------------------ */
+ 
+-cc_uint64 ccs_server_client_count ()
++cc_uint64 ccs_server_client_count (void)
+ {
+     return ccs_client_array_count (g_client_array);
+ }
+diff --git a/src/ccapi/server/ccs_server.h b/src/ccapi/server/ccs_server.h
+index e920ad9..f71ab06 100644
+--- a/src/ccapi/server/ccs_server.h
++++ b/src/ccapi/server/ccs_server.h
+@@ -48,6 +48,6 @@ cc_int32 ccs_server_send_reply (ccs_pipe_t     in_reply_pipe,
+                                 cc_int32       in_reply_err,
+                                 k5_ipc_stream   in_reply_data);
+ 
+-cc_uint64 ccs_server_client_count ();
++cc_uint64 ccs_server_client_count (void);
+ 
+ #endif /* CCS_SERVER_H */
+diff --git a/src/ccapi/server/win/WorkQueue.h b/src/ccapi/server/win/WorkQueue.h
+index 68aa8b1..66a2960 100644
+--- a/src/ccapi/server/win/WorkQueue.h
++++ b/src/ccapi/server/win/WorkQueue.h
+@@ -29,14 +29,14 @@
+ #include "windows.h"
+ #include "ccs_pipe.h"
+ 
+-EXTERN_C    int worklist_initialize();
++EXTERN_C    int worklist_initialize(void);
+ 
+-EXTERN_C    int worklist_cleanup();
++EXTERN_C    int worklist_cleanup(void);
+ 
+ /* Wait for work to be added to the list (via worklist_add) from another thread */
+-EXTERN_C    void worklist_wait();
++EXTERN_C    void worklist_wait(void);
+ 
+-EXTERN_C    BOOL worklist_isEmpty();
++EXTERN_C    BOOL worklist_isEmpty(void);
+ 
+ EXTERN_C    int worklist_add(  const long          rpcmsg,
+                                 const ccs_pipe_t    pipe,
+diff --git a/src/ccapi/test/pingtest.c b/src/ccapi/test/pingtest.c
+index 0ffc15e..24327c2 100644
+--- a/src/ccapi/test/pingtest.c
++++ b/src/ccapi/test/pingtest.c
+@@ -23,7 +23,7 @@ extern cc_int32 cci_os_ipc_msg( cc_int32        in_launch_server,
+ 
+ static DWORD    dwTlsIndex;
+ 
+-DWORD GetTlsIndex()    {return dwTlsIndex;}
++DWORD GetTlsIndex(void)    {return dwTlsIndex;}
+ 
+ RPC_STATUS send_test(char* endpoint) {
+     unsigned char*  pszNetworkAddress   = NULL;
+diff --git a/src/include/gssrpc/netdb.h b/src/include/gssrpc/netdb.h
+index f933fbb..2f62edf 100644
+--- a/src/include/gssrpc/netdb.h
++++ b/src/include/gssrpc/netdb.h
+@@ -53,6 +53,8 @@ struct rpcent {
+ };
+ #endif /*STRUCT_RPCENT_IN_RPC_NETDB_H*/
+ 
+-struct rpcent *getrpcbyname(), *getrpcbynumber(), *getrpcent();
++struct rpcent *getrpcbyname(const char *name);
++struct rpcent *getrpcbynumber(int number);
++struct rpcent *getrpcent(void);
+ 
+ #endif
+diff --git a/src/include/port-sockets.h b/src/include/port-sockets.h
+index 57e5d1d..228e4cf 100644
+--- a/src/include/port-sockets.h
++++ b/src/include/port-sockets.h
+@@ -111,7 +111,7 @@ static __inline void TranslatedWSASetLastError(int posix_error)
+  * Translate Winsock errors to their POSIX counterparts.  This is necessary for
+  * MSVC 2010+, where both Winsock and POSIX errors are defined.
+  */
+-static __inline int TranslatedWSAGetLastError()
++static __inline int TranslatedWSAGetLastError(void)
+ {
+     int err = WSAGetLastError();
+     switch (err) {
+diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y
+index d14cf96..6d80027 100644
+--- a/src/kadmin/cli/getdate.y
++++ b/src/kadmin/cli/getdate.y
+@@ -778,7 +778,7 @@ LookupWord(char *buff)
+ 
+ 
+ static int
+-yylex()
++yylex(void)
+ {
+     char		c;
+     char		*p;
+diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
+index 19a5925..12c6d32 100644
+--- a/src/kadmin/dbutil/kdb5_util.c
++++ b/src/kadmin/dbutil/kdb5_util.c
+@@ -74,7 +74,7 @@ int exit_status = 0;
+ krb5_context util_context;
+ kadm5_config_params global_params;
+ 
+-void usage()
++void usage(void)
+ {
+     fprintf(stderr,
+             _("Usage: kdb5_util [-r realm] [-d dbname] "
+diff --git a/src/kprop/kprop.c b/src/kprop/kprop.c
+index 8f9fd69..e8f7feb 100644
+--- a/src/kprop/kprop.c
++++ b/src/kprop/kprop.c
+@@ -80,7 +80,7 @@ static void send_error(krb5_context context, krb5_creds *my_creds, int fd,
+                        char *err_text, krb5_error_code err_code);
+ static void update_last_prop_file(char *hostname, char *file_name);
+ 
+-static void usage()
++static void usage(void)
+ {
+     fprintf(stderr, _("\nUsage: %s [-r realm] [-f file] [-d] [-P port] "
+                       "[-s keytab] replica_host\n\n"), progname);
+diff --git a/src/lib/crypto/crypto_tests/t_pkcs5.c b/src/lib/crypto/crypto_tests/t_pkcs5.c
+index 8e87a80..f4bb33e 100644
+--- a/src/lib/crypto/crypto_tests/t_pkcs5.c
++++ b/src/lib/crypto/crypto_tests/t_pkcs5.c
+@@ -38,7 +38,7 @@ static void printdata (krb5_data *d) {
+     printhex (d->length, d->data);
+ }
+ 
+-static void test_pbkdf2_rfc3211()
++static void test_pbkdf2_rfc3211(void)
+ {
+     char x[100];
+     krb5_error_code err;
+@@ -92,7 +92,7 @@ static void test_pbkdf2_rfc3211()
+     }
+ }
+ 
+-int main ()
++int main(void)
+ {
+     test_pbkdf2_rfc3211();
+     return 0;
+diff --git a/src/lib/crypto/crypto_tests/vectors.c b/src/lib/crypto/crypto_tests/vectors.c
+index eb107db..b40551d 100644
+--- a/src/lib/crypto/crypto_tests/vectors.c
++++ b/src/lib/crypto/crypto_tests/vectors.c
+@@ -56,7 +56,7 @@ static void printdata (krb5_data *d) { printhex (d->length, d->data); }
+ 
+ static void printkey (krb5_keyblock *k) { printhex (k->length, k->contents); }
+ 
+-static void test_nfold ()
++static void test_nfold (void)
+ {
+     int i;
+     static const struct {
+@@ -96,7 +96,7 @@ static void test_nfold ()
+    so try to generate them. */
+ 
+ static void
+-test_mit_des_s2k ()
++test_mit_des_s2k (void)
+ {
+     static const struct {
+         const char *pass;
+@@ -223,7 +223,7 @@ void DR (krb5_data *out, krb5_keyblock *in, const krb5_data *usage) {
+ #define KEYBYTES  21
+ #define KEYLENGTH 24
+ 
+-void test_dr_dk ()
++void test_dr_dk (void)
+ {
+     static const struct {
+         unsigned char keydata[KEYLENGTH];
+@@ -367,7 +367,7 @@ static void printk(const char *descr, krb5_keyblock *k) {
+ 
+ 
+ static void
+-test_pbkdf2()
++test_pbkdf2(void)
+ {
+     static struct {
+         int count;
+diff --git a/src/lib/gssapi/generic/maptest.c b/src/lib/gssapi/generic/maptest.c
+index 566d88c..ab3ed90 100644
+--- a/src/lib/gssapi/generic/maptest.c
++++ b/src/lib/gssapi/generic/maptest.c
+@@ -42,7 +42,7 @@ static void intprt(int v, FILE *f)
+ 
+ foo foo1;
+ 
+-int main ()
++int main (void)
+ {
+     elt v1 = { 1, 2 }, v2 = { 3, 4 };
+     const elt *vp;
+diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c
+index 427b329..9cd2ad3 100644
+--- a/src/lib/krb5/ccache/ccapi/stdcc.c
++++ b/src/lib/krb5/ccache/ccapi/stdcc.c
+@@ -101,7 +101,7 @@ krb5_cc_ops krb5_cc_stdcc_ops = {
+  * changes made.  We register a unique message type with which
+  * we'll communicate to all other processes.
+  */
+-static void cache_changed()
++static void cache_changed(void)
+ {
+     static unsigned int message = 0;
+ 
+@@ -112,7 +112,7 @@ static void cache_changed()
+ }
+ #else /* _WIN32 */
+ 
+-static void cache_changed()
++static void cache_changed(void)
+ {
+     return;
+ }
+@@ -242,7 +242,7 @@ static krb5_error_code stdccv3_setup (krb5_context context,
+ }
+ 
+ /* krb5_stdcc_shutdown is exported; use the old name */
+-void krb5_stdcc_shutdown()
++void krb5_stdcc_shutdown(void)
+ {
+     if (gCntrlBlock) { cc_context_release(gCntrlBlock); }
+     gCntrlBlock = NULL;
+diff --git a/src/lib/krb5/ccache/ccapi/winccld.c b/src/lib/krb5/ccache/ccapi/winccld.c
+index 8b2e90c..62b1bd7 100644
+--- a/src/lib/krb5/ccache/ccapi/winccld.c
++++ b/src/lib/krb5/ccache/ccapi/winccld.c
+@@ -18,8 +18,8 @@ extern const krb5_cc_ops krb5_fcc_ops;
+ 
+ static int krb5_win_ccdll_loaded = 0;
+ 
+-extern void krb5_win_ccdll_load();
+-extern int krb5_is_ccdll_loaded();
++extern void krb5_win_ccdll_load(krb5_context context);
++extern int krb5_is_ccdll_loaded(void);
+ 
+ /*
+  * return codes
+@@ -81,8 +81,7 @@ static int LoadFuncs(const char* dll_name, FUNC_INFO fi[],
+     return LF_OK;
+ }
+ 
+-void krb5_win_ccdll_load(context)
+-    krb5_context    context;
++void krb5_win_ccdll_load(krb5_context context)
+ {
+     krb5_cc_register(context, &krb5_fcc_ops, 0);
+     if (krb5_win_ccdll_loaded)
+@@ -93,7 +92,7 @@ void krb5_win_ccdll_load(context)
+     krb5_cc_dfl_ops = &krb5_cc_stdcc_ops; /* Use stdcc! */
+ }
+ 
+-int krb5_is_ccdll_loaded()
++int krb5_is_ccdll_loaded(void)
+ {
+     return krb5_win_ccdll_loaded;
+ }
+diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c
+index 5a01320..696b681 100644
+--- a/src/lib/krb5/ccache/ccbase.c
++++ b/src/lib/krb5/ccache/ccbase.c
+@@ -614,7 +614,7 @@ k5_cccol_unlock(krb5_context context)
+ 
+ /* necessary to make reentrant locks play nice with krb5int_cc_finalize */
+ void
+-k5_cccol_force_unlock()
++k5_cccol_force_unlock(void)
+ {
+     /* sanity check */
+     if ((&cccol_lock)->refcount == 0) {
+diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
+index ff8265a..701454f 100644
+--- a/src/lib/krb5/krb/bld_princ.c
++++ b/src/lib/krb5/krb/bld_princ.c
+@@ -170,13 +170,13 @@ const krb5_principal_data anon_princ = {
+ };
+ 
+ const krb5_data * KRB5_CALLCONV
+-krb5_anonymous_realm()
++krb5_anonymous_realm(void)
+ {
+     return &anon_realm_data;
+ }
+ 
+ krb5_const_principal KRB5_CALLCONV
+-krb5_anonymous_principal()
++krb5_anonymous_principal(void)
+ {
+     return &anon_princ;
+ }
+diff --git a/src/lib/krb5/krb/conv_creds.c b/src/lib/krb5/krb/conv_creds.c
+index 6f46088..8d0a317 100644
+--- a/src/lib/krb5/krb/conv_creds.c
++++ b/src/lib/krb5/krb/conv_creds.c
+@@ -55,7 +55,7 @@ krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds,
+     return KRB524_KRB4_DISABLED;
+ }
+ 
+-void KRB5_CALLCONV krb524_init_ets ()
++void KRB5_CALLCONV krb524_init_ets (void)
+ {
+ }
+ #endif
+diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
+index 18290b7..e7bd226 100644
+--- a/src/lib/krb5/krb/init_ctx.c
++++ b/src/lib/krb5/krb/init_ctx.c
+@@ -65,7 +65,7 @@ static krb5_enctype default_enctype_list[] = {
+ };
+ 
+ #if (defined(_WIN32))
+-extern krb5_error_code krb5_vercheck();
++extern krb5_error_code krb5_vercheck(void);
+ extern void krb5_win_ccdll_load(krb5_context context);
+ #endif
+ 
+diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c
+index 668a7a6..5da550c 100644
+--- a/src/lib/krb5/os/dnsglue.c
++++ b/src/lib/krb5/os/dnsglue.c
+@@ -439,7 +439,7 @@ cleanup:
+ }
+ 
+ char *
+-k5_primary_domain()
++k5_primary_domain(void)
+ {
+     return NULL;
+ }
+@@ -497,7 +497,7 @@ errout:
+ }
+ 
+ char *
+-k5_primary_domain()
++k5_primary_domain(void)
+ {
+     char *domain;
+     DECLARE_HANDLE(h);
+diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c
+index 92d765f..4e9d07f 100644
+--- a/src/lib/krb5/os/localaddr.c
++++ b/src/lib/krb5/os/localaddr.c
+@@ -363,7 +363,7 @@ struct linux_ipv6_addr_list {
+     struct linux_ipv6_addr_list *next;
+ };
+ static struct linux_ipv6_addr_list *
+-get_linux_ipv6_addrs ()
++get_linux_ipv6_addrs (void)
+ {
+     struct linux_ipv6_addr_list *lst = 0;
+     FILE *f;
+@@ -1082,7 +1082,7 @@ static int print_addr (/*@unused@*/ void *dataptr, struct sockaddr *sa)
+     return 0;
+ }
+ 
+-int main ()
++int main (void)
+ {
+     int r;
+ 
+@@ -1417,7 +1417,7 @@ get_localaddrs (krb5_context context, krb5_address ***addr, int use_profile)
+  * by Robert Quinn
+  */
+ #if defined(_WIN32)
+-static struct hostent *local_addr_fallback_kludge()
++static struct hostent *local_addr_fallback_kludge(void)
+ {
+     static struct hostent   host;
+     static SOCKADDR_IN      addr;
+diff --git a/src/lib/rpc/getrpcent.c b/src/lib/rpc/getrpcent.c
+index ad6793f..b3d94bc 100644
+--- a/src/lib/rpc/getrpcent.c
++++ b/src/lib/rpc/getrpcent.c
+@@ -56,10 +56,10 @@ struct rpcdata {
+ 	char	line[BUFSIZ+1];
+ 	char	*domain;
+ } *rpcdata;
+-static struct rpcdata *get_rpcdata();
++static struct rpcdata *get_rpcdata(void);
+ 
+-static	struct rpcent *interpret();
+-struct	hostent *gethostent();
++static	struct rpcent *interpret(void);
++struct	hostent *gethostent(void);
+ 
+ static char RPCDB[] = "/etc/rpc";
+ 
+diff --git a/src/lib/win_glue.c b/src/lib/win_glue.c
+index d650cc3..011acda 100644
+--- a/src/lib/win_glue.c
++++ b/src/lib/win_glue.c
+@@ -6,7 +6,7 @@
+ #include "asn1_err.h"
+ #include "kdb5_err.h"
+ #include "profile.h"
+-extern void krb5_stdcc_shutdown();
++extern void krb5_stdcc_shutdown(void);
+ #endif
+ #ifdef GSSAPI
+ #include "gssapi/generic/gssapi_err_generic.h"
+@@ -233,7 +233,7 @@ static int CallVersionServer(app_title, app_version, app_ini, code_cover)
+ #endif
+ 
+ #ifdef TIMEBOMB
+-static krb5_error_code do_timebomb()
++static krb5_error_code do_timebomb(void)
+ {
+ 	char buf[1024];
+ 	long timeleft;
+@@ -276,7 +276,7 @@ static krb5_error_code do_timebomb()
+  * doesn't allow you to make messaging calls from LibMain.  So, we now
+  * do the timebomb/version server stuff from krb5_init_context().
+  */
+-krb5_error_code krb5_vercheck()
++krb5_error_code krb5_vercheck(void)
+ {
+ 	static int verchecked = 0;
+ 	if (verchecked)
+@@ -314,7 +314,7 @@ krb5_error_code krb5_vercheck()
+ 
+ static HINSTANCE hlibinstance;
+ 
+-HINSTANCE get_lib_instance()
++HINSTANCE get_lib_instance(void)
+ {
+     return hlibinstance;
+ }
+diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
+index 9a344a6..eb8610b 100644
+--- a/src/plugins/kdb/db2/kdb_db2.c
++++ b/src/plugins/kdb/db2/kdb_db2.c
+@@ -1165,13 +1165,13 @@ krb5_db2_set_lockmode(krb5_context context, krb5_boolean mode)
+  *     DAL API functions
+  */
+ krb5_error_code
+-krb5_db2_lib_init()
++krb5_db2_lib_init(void)
+ {
+     return 0;
+ }
+ 
+ krb5_error_code
+-krb5_db2_lib_cleanup()
++krb5_db2_lib_cleanup(void)
+ {
+     /* right now, no cleanup required */
+     return 0;
+diff --git a/src/plugins/kdb/db2/libdb2/hash/dbm.c b/src/plugins/kdb/db2/libdb2/hash/dbm.c
+index 4878cbc..3e46778 100644
+--- a/src/plugins/kdb/db2/libdb2/hash/dbm.c
++++ b/src/plugins/kdb/db2/libdb2/hash/dbm.c
+@@ -97,7 +97,7 @@ kdb2_fetch(key)
+ }
+ 
+ datum
+-kdb2_firstkey()
++kdb2_firstkey(void)
+ {
+ 	datum item;
+ 
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+index cee4b7b..5e77d5e 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+@@ -314,13 +314,13 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
+  *     DAL API functions
+  */
+ krb5_error_code
+-krb5_ldap_lib_init()
++krb5_ldap_lib_init(void)
+ {
+     return 0;
+ }
+ 
+ krb5_error_code
+-krb5_ldap_lib_cleanup()
++krb5_ldap_lib_cleanup(void)
+ {
+     /* right now, no cleanup required */
+     return 0;
+diff --git a/src/tests/threads/gss-perf.c b/src/tests/threads/gss-perf.c
+index f3630c2..0ca6d84 100644
+--- a/src/tests/threads/gss-perf.c
++++ b/src/tests/threads/gss-perf.c
+@@ -78,7 +78,7 @@ static void usage (void) __attribute__((noreturn));
+ static void set_target (char *);
+ 
+ static void
+-usage ()
++usage (void)
+ {
+     fprintf (stderr, "usage: %s [ options ] service-name\n", prog);
+     fprintf (stderr, "  service-name\tGSSAPI host-based service name (e.g., 'host@FQDN')\n");
+@@ -249,7 +249,7 @@ do_accept (gss_buffer_desc *msg, int iter)
+ }
+ 
+ static gss_buffer_desc
+-do_init ()
++do_init (void)
+ {
+     OM_uint32 maj_stat, min_stat;
+     gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
+diff --git a/src/tests/threads/init_ctx.c b/src/tests/threads/init_ctx.c
+index 42619a9..dc3d417 100644
+--- a/src/tests/threads/init_ctx.c
++++ b/src/tests/threads/init_ctx.c
+@@ -57,7 +57,7 @@ static int do_pause;
+ static void usage (void) __attribute__((noreturn));
+ 
+ static void
+-usage ()
++usage (void)
+ {
+     fprintf (stderr, "usage: %s [ options ]\n", prog);
+     fprintf (stderr, "options:\n");
+diff --git a/src/tests/threads/profread.c b/src/tests/threads/profread.c
+index be28ba4..69bdb05 100644
+--- a/src/tests/threads/profread.c
++++ b/src/tests/threads/profread.c
+@@ -59,7 +59,7 @@ static int do_pause;
+ static void usage (void) __attribute__((noreturn));
+ 
+ static void
+-usage ()
++usage (void)
+ {
+     fprintf (stderr, "usage: %s [ options ]\n", prog);
+     fprintf (stderr, "options:\n");
+diff --git a/src/tests/threads/t_rcache.c b/src/tests/threads/t_rcache.c
+index 07c45cc..8121429 100644
+--- a/src/tests/threads/t_rcache.c
++++ b/src/tests/threads/t_rcache.c
+@@ -51,7 +51,7 @@ int n_threads = DEFAULT_N_THREADS;
+ int interval = DEFAULT_INTERVAL;
+ int *ip;
+ 
+-static void wait_for_tick ()
++static void wait_for_tick (void)
+ {
+     time_t now, next;
+     now = time(0);
+diff --git a/src/util/et/com_err.c b/src/util/et/com_err.c
+index c1e3be7..2e74a4f 100644
+--- a/src/util/et/com_err.c
++++ b/src/util/et/com_err.c
+@@ -35,7 +35,7 @@ static /*@null@*/ et_old_error_hook_func com_err_hook = 0;
+ k5_mutex_t com_err_hook_lock = K5_MUTEX_PARTIAL_INITIALIZER;
+ 
+ #if defined(_WIN32)
+-BOOL  isGuiApp() {
++BOOL  isGuiApp(void) {
+     DWORD mypid;
+     HANDLE myprocess;
+     mypid = GetCurrentProcessId();
+@@ -161,7 +161,7 @@ et_old_error_hook_func set_com_err_hook (et_old_error_hook_func new_proc)
+     return x;
+ }
+ 
+-et_old_error_hook_func reset_com_err_hook ()
++et_old_error_hook_func reset_com_err_hook (void)
+ {
+     et_old_error_hook_func x;
+ 
+diff --git a/src/util/et/error_message.c b/src/util/et/error_message.c
+index 7dc02a3..460f18c 100644
+--- a/src/util/et/error_message.c
++++ b/src/util/et/error_message.c
+@@ -303,7 +303,7 @@ remove_error_table(const struct error_table *et)
+     return ENOENT;
+ }
+ 
+-int com_err_finish_init()
++int com_err_finish_init(void)
+ {
+     return CALL_INIT_FUNCTION(com_err_initialize);
+ }
+diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
+index 78d7f94..96001d5 100644
+--- a/src/util/profile/prof_file.c
++++ b/src/util/profile/prof_file.c
+@@ -546,11 +546,11 @@ void profile_dereference_data_locked(prf_data_t data)
+         profile_free_file_data(data);
+ }
+ 
+-void profile_lock_global()
++void profile_lock_global(void)
+ {
+     k5_mutex_lock(&g_shared_trees_mutex);
+ }
+-void profile_unlock_global()
++void profile_unlock_global(void)
+ {
+     k5_mutex_unlock(&g_shared_trees_mutex);
+ }
+diff --git a/src/util/support/secure_getenv.c b/src/util/support/secure_getenv.c
+index 6df0591..c9b34b6 100644
+--- a/src/util/support/secure_getenv.c
++++ b/src/util/support/secure_getenv.c
+@@ -68,7 +68,7 @@ static int elevated_privilege = 0;
+ MAKE_INIT_FUNCTION(k5_secure_getenv_init);
+ 
+ int
+-k5_secure_getenv_init()
++k5_secure_getenv_init(void)
+ {
+     int saved_errno = errno;
+ 
+diff --git a/src/windows/include/leashwin.h b/src/windows/include/leashwin.h
+index 08b9c7d..c85e6df 100644
+--- a/src/windows/include/leashwin.h
++++ b/src/windows/include/leashwin.h
+@@ -160,51 +160,51 @@ void Leash_reset_defaults(void);
+ #define GOOD_TICKETS 1
+ 
+ /* Leash Configuration functions - alters Current User Registry */
+-DWORD Leash_get_default_lifetime();
++DWORD Leash_get_default_lifetime(void);
+ DWORD Leash_set_default_lifetime(DWORD minutes);
+-DWORD Leash_reset_default_lifetime();
+-DWORD Leash_get_default_renew_till();
++DWORD Leash_reset_default_lifetime(void);
++DWORD Leash_get_default_renew_till(void);
+ DWORD Leash_set_default_renew_till(DWORD minutes);
+-DWORD Leash_reset_default_renew_till();
+-DWORD Leash_get_default_renewable();
++DWORD Leash_reset_default_renew_till(void);
++DWORD Leash_get_default_renewable(void);
+ DWORD Leash_set_default_renewable(DWORD onoff);
+-DWORD Leash_reset_default_renewable();
+-DWORD Leash_get_default_forwardable();
++DWORD Leash_reset_default_renewable(void);
++DWORD Leash_get_default_forwardable(void);
+ DWORD Leash_set_default_forwardable(DWORD onoff);
+-DWORD Leash_reset_default_forwardable();
+-DWORD Leash_get_default_noaddresses();
++DWORD Leash_reset_default_forwardable(void);
++DWORD Leash_get_default_noaddresses(void);
+ DWORD Leash_set_default_noaddresses(DWORD onoff);
+-DWORD Leash_reset_default_noaddresses();
+-DWORD Leash_get_default_proxiable();
++DWORD Leash_reset_default_noaddresses(void);
++DWORD Leash_get_default_proxiable(void);
+ DWORD Leash_set_default_proxiable(DWORD onoff);
+-DWORD Leash_reset_default_proxiable();
+-DWORD Leash_get_default_publicip();
++DWORD Leash_reset_default_proxiable(void);
++DWORD Leash_get_default_publicip(void);
+ DWORD Leash_set_default_publicip(DWORD ipv4addr);
+-DWORD Leash_reset_default_publicip();
+-DWORD Leash_get_hide_kinit_options();
++DWORD Leash_reset_default_publicip(void);
++DWORD Leash_get_hide_kinit_options(void);
+ DWORD Leash_set_hide_kinit_options(DWORD onoff);
+-DWORD Leash_reset_hide_kinit_options();
+-DWORD Leash_get_default_life_min();
++DWORD Leash_reset_hide_kinit_options(void);
++DWORD Leash_get_default_life_min(void);
+ DWORD Leash_set_default_life_min(DWORD minutes);
+-DWORD Leash_reset_default_life_min();
+-DWORD Leash_get_default_life_max();
++DWORD Leash_reset_default_life_min(void);
++DWORD Leash_get_default_life_max(void);
+ DWORD Leash_set_default_life_max(DWORD minutes);
+-DWORD Leash_reset_default_life_max();
+-DWORD Leash_get_default_renew_min();
++DWORD Leash_reset_default_life_max(void);
++DWORD Leash_get_default_renew_min(void);
+ DWORD Leash_set_default_renew_min(DWORD minutes);
+-DWORD Leash_reset_default_renew_min();
+-DWORD Leash_get_default_renew_max();
++DWORD Leash_reset_default_renew_min(void);
++DWORD Leash_get_default_renew_max(void);
+ DWORD Leash_set_default_renew_max(DWORD minutes);
+-DWORD Leash_reset_default_renew_max();
+-DWORD Leash_get_default_uppercaserealm();
++DWORD Leash_reset_default_renew_max(void);
++DWORD Leash_get_default_uppercaserealm(void);
+ DWORD Leash_set_default_uppercaserealm(DWORD onoff);
+-DWORD Leash_reset_default_uppercaserealm();
+-DWORD Leash_get_default_mslsa_import();
++DWORD Leash_reset_default_uppercaserealm(void);
++DWORD Leash_get_default_mslsa_import(void);
+ DWORD Leash_set_default_mslsa_import(DWORD onoffmatch);
+-DWORD Leash_reset_default_mslsa_import();
+-DWORD Leash_get_default_preserve_kinit_settings();
++DWORD Leash_reset_default_mslsa_import(void);
++DWORD Leash_get_default_preserve_kinit_settings(void);
+ DWORD Leash_set_default_preserve_kinit_settings(DWORD onoff);
+-DWORD Leash_reset_default_preserve_kinit_settings();
++DWORD Leash_reset_default_preserve_kinit_settings(void);
+ #ifdef __cplusplus
+ }
+ #endif
+-- 
+2.33.0
+

backport-Handle-empty-initial-buffer-in-IAKERB-initiator.patch

@@ -0,0 +1,38 @@
+From 5f0023d5f05e95021a7caa1193f76f86871222ce Mon Sep 17 00:00:00 2001                 
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 May 2024 10:10:56 +0200
+Subject: [PATCH] Handle empty initial buffer in IAKERB initiator
+
+Section 5.19 of RFC 2744 (about gss_init_sec_context) states,
+"Initially, the input_token parameter should be specified either as
+GSS_C_NO_BUFFER, or as a pointer to a gss_buffer_desc object whose
+length field contains the value zero."  In iakerb_initiator_step(),
+handle both cases when deciding whether to parse an acceptor message.
+
+[ghudson@mit.edu: edited commit message]
+
+ticket: 9126 (new)
+
+Reference: https://github.com/krb5/krb5/commit/5f0023d5f05e95021a7caa1193f76f86871222ce
+Conflict: NA
+
+---
+ src/lib/gssapi/krb5/iakerb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index b0d0ede..7a3ad1c 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -539,7 +539,7 @@ iakerb_initiator_step(iakerb_ctx_id_t ctx,
+     output_token->length = 0;
+     output_token->value = NULL;
+ 
+-    if (input_token != GSS_C_NO_BUFFER) {
++    if (input_token != GSS_C_NO_BUFFER && input_token->length > 0) {
+         code = iakerb_parse_token(ctx, 0, input_token, NULL, &cookie, &in);
+         if (code != 0)
+             goto cleanup;
+-- 
+2.33.0
+

krb5.spec

@@ -3,7 +3,7 @@
 
 Name:     krb5
 Version:  1.21.2
-Release:  6
+Release:  7
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@@ -33,6 +33,10 @@ Patch9: backport-Remove-klist-s-defname-global-variable.patch
 Patch10: backport-Fix-two-unlikely-memory-leaks.patch
 Patch11: backport-Allow-modifications-of-empty-profiles.patch
 Patch12: fix-leak-in-KDC-NDR-encoding.patch
+Patch13: backport-Fix-more-non-prototype-functions.patch
+Patch14: backport-Fix-Python-regexp-literals.patch
+Patch15: backport-Handle-empty-initial-buffer-in-IAKERB-initiator.patch
+Patch16: backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch
 
 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@@ -331,6 +335,9 @@ make -C src check || :
 %{_mandir}/man8/*
 
 %changelog
+* Thu Jul 4 2024 xuraoqing <xuraoqing@huawei.com> - 1.21.2-7
+- backport patches to fix bugs and CVE-2024-37370 CVE-2024-37371
+
 * Thu Jun 27 2024 yanshuai <yanshuai@kylinos.cn> - 1.21.2-6
 - Fix leak in KDC NDR encoding