gss: Fix warnings

appl/gssmask/gssmask.c

@@ -951,7 +951,9 @@ HandleOP(WrapExt)
     memcpy(p, iov[4].buffer.value, iov[4].buffer.length);
     p += iov[4].buffer.length;
     memcpy(p, iov[5].buffer.value, iov[5].buffer.length);
+#if 0 /* Would be needed to keep going, but presently unused */
     p += iov[5].buffer.length;
+#endif
 
     gss_release_iov_buffer(NULL, iov, iov_len);
 

appl/test/gssapi_server.c

@@ -159,6 +159,8 @@ process_it(int sock,
 			 input_token,
 			 NULL,
 			 output_token);
+    if (GSS_ERROR(maj_stat))
+	gss_err(1, min_stat, "gss_wrap");
 
     write_token (sock, output_token);
     gss_release_buffer (&min_stat, output_token);
@@ -184,7 +186,7 @@ proto (int sock, const char *service)
     gss_name_t client_name;
     struct gss_channel_bindings_struct input_chan_bindings;
     gss_cred_id_t delegated_cred_handle = NULL;
-    krb5_ccache ccache;
+    krb5_ccache ccache = NULL;
     u_char init_buf[4];
     u_char acct_buf[4];
     gss_OID mech_oid;
@@ -270,15 +272,21 @@ proto (int sock, const char *service)
     printf("Using mech: %s\n", mech);
 
     if (delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
-       krb5_context context;
+       krb5_context context = NULL;
 
        printf("Delegated cred found\n");
 
-       maj_stat = krb5_init_context(&context);
+       min_stat = krb5_init_context(&context);
-       maj_stat = krb5_cc_resolve(context, "FILE:/tmp/krb5cc_test", &ccache);
+       if (min_stat)
-       maj_stat = gss_krb5_copy_ccache(&min_stat,
+	    gss_err(1, min_stat, "krb5_init_context");
-				       delegated_cred_handle,
+       if (min_stat == 0)
-				       ccache);
+           min_stat = krb5_cc_resolve(context, "FILE:/tmp/krb5cc_test", &ccache);
+       if (min_stat == 0)
+           maj_stat = gss_krb5_copy_ccache(&min_stat,
+                                           delegated_cred_handle,
+                                           ccache);
+       else
+           maj_stat = GSS_S_FAILURE;
        if (maj_stat == 0) {
 	   krb5_principal p;
 	   maj_stat = krb5_cc_get_principal(context, ccache, &p);
@@ -293,6 +301,7 @@ proto (int sock, const char *service)
 	   }
        }
        krb5_cc_close(context, ccache);
+       krb5_free_context(context);
        gss_release_cred(&min_stat, &delegated_cred_handle);
     }
 

lib/gssapi/gss-token.c

@@ -250,7 +250,7 @@ write_and_free_token(gss_buffer_t out, int negotiate)
 
 bail:
 	gss_release_buffer(&min, out);
-	return 0;
+	return ret;
 }
 
 static int
@@ -402,7 +402,7 @@ static int
 initiate_many(gss_name_t service, int delegate, int negotiate, int memcache,
 	      size_t count)
 {
-	krb5_error_code	kret;
+	krb5_error_code	kret = 0;
 	krb5_context	kctx = NULL;
 	krb5_ccache	def_cache = NULL;
 	krb5_ccache	mem_cache = NULL;
@@ -567,7 +567,7 @@ print_all_mechs(void)
 	for (i=0; i < mech_set->count; i++)
 		printf("%s\n", gss_oid_to_name(&mech_set->elements[i]));
 
-	maj = gss_release_oid_set(&min, &mech_set);
+	(void) gss_release_oid_set(&min, &mech_set);
 
 bail:
 	exit(ret);

lib/gssapi/krb5/arcfour.c

@@ -177,7 +177,7 @@ arcfour_mic_cksum_iov(krb5_context context,
 	memcpy(ptr + ofs,
 	       padding->buffer.value,
 	       padding->buffer.length);
-	ofs += padding->buffer.length;
+	/* ofs += padding->buffer.length; */
     }
 
     ret = krb5_crypto_init(context, key, 0, &crypto);
@@ -880,6 +880,11 @@ _gssapi_wrap_iov_length_arcfour(OM_uint32 *minor_status,
 	}
     }
 
+    if (header == NULL) {
+        *minor_status = EINVAL;
+        return GSS_S_FAILURE;
+    }
+
     major_status = _gk_verify_buffers(minor_status, ctx, header,
 				      padding, trailer, FALSE);
     if (major_status != GSS_S_COMPLETE) {

lib/gssapi/mech/gss_cred.c

@@ -262,8 +262,7 @@ gss_import_cred(OM_uint32 * minor_status,
 	    goto out;
 	}
 
-	if (m->gm_import_cred == NULL &&
+	if (m->gm_import_cred == NULL) {
-	    !gss_oid_equal(&m->gm_mech_oid, GSS_SPNEGO_MECHANISM)) {
 	    *minor_status = 0;
 	    major = GSS_S_BAD_MECH;
 	    goto out;
@@ -287,8 +286,7 @@ gss_import_cred(OM_uint32 * minor_status,
 		continue;
 	}
 
-	major = m->gm_import_cred(minor_status,
+	major = m->gm_import_cred(minor_status, &buffer, &mcred);
-				  &buffer, &mcred);
 	gss_release_buffer(&junk, &buffer);
 	if (major != GSS_S_COMPLETE)
 	    goto out;

lib/gssapi/mech/gss_export_sec_context.c

@@ -72,6 +72,10 @@ gss_export_sec_context(OM_uint32 *minor_status,
             verflags |= EXPORT_CONTEXT_FLAG_MECH_CTX;
 
         kret = krb5_store_uint8(sp, verflags);
+        if (kret) {
+            *minor_status = kret;
+            goto failure;
+        }
 
         if (ctx->gc_target_len) {
             _gss_mg_log(10, "gss-esc: exporting partial token %zu/%zu",

lib/gssapi/mech/gss_import_name.c

@@ -133,7 +133,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
                 len -= t;
 
                 t = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
-                p += 4;
+                /* p += 4; // we're done using `p' now */
                 len -= 4;
 
                 if (len != t)

lib/gssapi/mech/gss_import_sec_context.c

@@ -42,9 +42,9 @@ gss_import_sec_context(OM_uint32 *minor_status,
 
         _gss_mg_log(10, "gss-isc called");
 
-        if (!minor_status || !context_handle) {
+        if (!context_handle) {
             *minor_status = EFAULT;
-            return GSS_S_FAILURE;
+            return GSS_S_CALL_INACCESSIBLE_WRITE;
         }
 
 	*minor_status = 0;
@@ -87,7 +87,7 @@ gss_import_sec_context(OM_uint32 *minor_status,
             if (ret != GSS_S_COMPLETE)
                 goto failure;
 
-            ctx->gc_input.value = calloc(target_len, 1);
+            ctx->gc_free_this = ctx->gc_input.value = calloc(target_len, 1);
 	    if (ctx->gc_input.value == NULL)
 		goto failure;
 

lib/gssapi/mech/gss_krb5.c

@@ -520,7 +520,8 @@ gss_krb5_ccache_name(OM_uint32 *minor_status,
 	}
     }
 
-    *out_name = args.out_name;
+    if (out_name)
+        *out_name = args.out_name;
 
     return major_status;
 }

lib/gssapi/mech/gss_mech_switch.c

@@ -137,6 +137,8 @@ _gss_string_to_oid(const char* s, gss_OID *oidp)
 				}
 			}
 		}
+                if (byte_count == 0)
+                    return EINVAL;
 		if (!res) {
 			res = malloc(byte_count);
 			if (!res)

lib/gssapi/mech/gss_pname_to_uid.c

@@ -158,6 +158,10 @@ gss_pname_to_uid(OM_uint32 *minor_status,
     major = gss_localname(minor_status, pname, mech_type, &localname);
     if (GSS_ERROR(major))
         return major;
+    if (localname.length == 0) {
+        *minor_status = KRB5_NO_LOCALNAME;
+        return GSS_S_FAILURE;
+    }
 
     szLocalname = malloc(localname.length + 1);
     if (szLocalname == NULL) {

lib/gssapi/ntlm/init_sec_context.c

@@ -56,6 +56,8 @@ from_file(const char *fn, const char *target_domain,
 	d = strtok_r(buf, ":", &str);
         free(*domainp);
 	*domainp = NULL;
+        if (!d)
+            continue;
 	if (d && target_domain != NULL && strcasecmp(target_domain, d) != 0)
 	    continue;
         *domainp = strdup(d);

lib/gssapi/sanon/import_name.c

@@ -59,17 +59,15 @@ storage_ret_der_oid(krb5_storage *sp, gss_OID_desc *oid)
     oid->elements = NULL;
 
     ret = krb5_ret_uint16(sp, &der_oid_len);
-    if (ret != 0)
+    if (ret == 0)
+        ret = krb5_ret_uint8(sp, &tag);
+    if (ret == 0)
+        ret = krb5_ret_uint8(sp, &oid_len);
+    if (ret)
 	return ret;
-
-    ret = krb5_ret_uint8(sp, &tag);
     if (tag != 0x06)
 	return EINVAL;
 
-    ret = krb5_ret_uint8(sp, &oid_len);
-    if (ret != 0)
-	return ret;
-
     if (der_oid_len != 2 + oid_len)
 	return EINVAL;
 
@@ -126,10 +124,11 @@ import_export_name(OM_uint32 *minor,
     }
     if (ret == 0)
 	ret = krb5_ret_uint32(sp, &name_len);
-    if (name_len != 1)
+    if (ret == 0)
-	ret = EINVAL;
+        ret = krb5_ret_uint8(sp, &is_anonymous);
-    ret = krb5_ret_uint8(sp, &is_anonymous);
     if (ret == 0) {
+        if (name_len != 1)
+            ret = EINVAL;
 	if (is_anonymous == 1) {
 	    *output_name = _gss_sanon_anonymous_identity;
 	    major = GSS_S_COMPLETE;

lib/gssapi/test_context.c

@@ -1257,7 +1257,7 @@ main(int argc, char **argv)
 
 	if (maj_stat != GSS_S_COMPLETE)
 	    keyblock2 = NULL;
-	else if (limit_enctype && keyblock->keytype != limit_enctype)
+	else if (limit_enctype && keyblock && keyblock->keytype != limit_enctype)
 	    errx(1, "gsskrb5_get_subkey wrong enctype");
 
 	if (keyblock || keyblock2) {
@@ -1285,7 +1285,7 @@ main(int argc, char **argv)
 	    if (ret)
 		krb5_err(context, 1, ret, "krb5_string_to_enctype");
 
-	    if (enctype != keyblock->keytype)
+	    if (keyblock && enctype != keyblock->keytype)
 		errx(1, "keytype is not the expected %d != %d",
 		     (int)enctype, (int)keyblock2->keytype);
 	}