kdc: Sprinkle const and rk_UNCONST.

2023-06-20 12:08:31 +00:00
parent 29a791f8f4
commit adeae8336c
5 changed files with 18 additions and 14 deletions
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -988,7 +988,7 @@ pa_gss_display_status(astgs_request_t r,
 static const gss_buffer_desc
 gss_pa_unknown_display_name = {
    sizeof("<unknown name>") - 1,
-    "<unknown name>"
+    rk_UNCONST("<unknown name>")
 };

 static void
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -692,9 +692,9 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
 	return ret;
    }

-    pepper1.data = "clientchallengearmor";
+    pepper1.data = rk_UNCONST("clientchallengearmor");
    pepper1.length = strlen(pepper1.data);
-    pepper2.data = "challengelongterm";
+    pepper2.data = rk_UNCONST("challengelongterm");
    pepper2.length = strlen(pepper2.data);

    krb5_crypto_getenctype(r->context, r->armor_crypto, &aenctype);
@@ -776,7 +776,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
 	 * challenge key (different pepper).
 	 */

-	pepper1.data = "kdcchallengearmor";
+	pepper1.data = rk_UNCONST("kdcchallengearmor");
 	pepper1.length = strlen(pepper1.data);

 	ret = krb5_crypto_fx_cf2(r->context, r->armor_crypto, longtermcrypto,
@@ -2446,6 +2446,7 @@ _kdc_as_rep(astgs_request_t r)
    if (!config->historical_anon_realm &&
        _kdc_is_anonymous(r->context, r->client_princ)) {
 	const Realm anon_realm = KRB5_ANON_REALM;
+
 	ret = copy_Realm(&anon_realm, &rep->crealm);
    } else if (f.canonicalize || r->client->flags.force_canonicalize)
 	ret = copy_Realm(&r->canon_client_princ->realm, &rep->crealm);
--- a/kdc/kx509.c
+++ b/kdc/kx509.c
@@ -491,7 +491,8 @@ make_csr(krb5_context context, kx509_req_context reqctx, krb5_data *key)
    ret = der_copy_oid(&asn1_oid_id_pkcs1_rsaEncryption,
                       &spki.algorithm.algorithm);

-    any.data = "\x05\x00";
+    /* copied read-only by hx509_request_set_SubjectPublicKeyInfo */
+    any.data = rk_UNCONST("\x05\x00");
    any.length = 2;
    spki.algorithm.parameters = &any;

--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -1681,8 +1681,8 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
            krb5_keyblock kdc_contribution_key;
            krb5_crypto reply_crypto;
            krb5_crypto kdccont_crypto;
-            krb5_data p1 = { strlen("PKINIT"), "PKINIT"};
-            krb5_data p2 = { strlen("KEYEXCHANGE"), "KEYEXCHANGE"};
+            krb5_data p1 = { strlen("PKINIT"), rk_UNCONST("PKINIT")};
+            krb5_data p2 = { strlen("KEYEXCHANGE"), rk_UNCONST("KEYEXCHANGE")};
            void *kckdata;
            size_t kcklen;
            EncryptedData kx;
--- a/kdc/test_csr_authorizer.c
+++ b/kdc/test_csr_authorizer.c
@@ -214,7 +214,7 @@ service(void *ctx,
        errx(1, "Out of memory");

    if (strncmp(cmd, "check ", sizeof("check ") - 1) != 0) {
-        rep.data = "Invalid request command (must be \"check ...\")";
+        rep.data = rk_UNCONST("Invalid request command (must be \"check ...\")");
        rep.length = sizeof("Invalid request command (must be \"check ...\")") - 1;
        (*complete_cb)(complete_cb_data, EINVAL, &rep);
        free(cmd);
@@ -248,7 +248,7 @@ service(void *ctx,
    if (ret == 0 && all_granted) {
        rk_strpoolfree(result);

-        rep.data = "granted";
+        rep.data = rk_UNCONST("granted");
        rep.length = sizeof("granted") - 1;
        (*complete_cb)(complete_cb_data, 0, &rep);
        return;
@@ -257,7 +257,7 @@ service(void *ctx,
    if (none_granted && ignore_flag) {
        rk_strpoolfree(result);

-        rep.data = "ignore";
+        rep.data = rk_UNCONST("ignore");
        rep.length = sizeof("ignore") - 1;
        (*complete_cb)(complete_cb_data, KRB5_PLUGIN_NO_HANDLE, &rep);
        return;
@@ -265,7 +265,7 @@ service(void *ctx,

    s = rk_strpoolcollect(result); /* frees `result' */
    if (s == NULL) {
-        rep.data = "denied out-of-memory";
+        rep.data = rk_UNCONST("denied out-of-memory");
        rep.length = sizeof("denied out-of-memory") - 1;
        (*complete_cb)(complete_cb_data, KRB5_PLUGIN_NO_HANDLE, &rep);
        return;
@@ -284,7 +284,7 @@ service(void *ctx,
    free(s);
 }

-static char *
+static const char *
 make_feature_argument(const char *kind,
                      hx509_san_type san_type,
                      const char *value)
@@ -293,6 +293,7 @@ make_feature_argument(const char *kind,
    char *s = NULL;

    if (strcmp(kind, "san") != 0) {
+	/* XXX leak */
        if (asprintf(&s, "%s=%s", kind, value) == -1 || s == NULL)
            errx(1, "Out of memory");
        return s;
@@ -326,6 +327,7 @@ make_feature_argument(const char *kind,
        return "";
    }

+    /* XXX leak */
    if (asprintf(&s, "san_%s=%s", san_type_str, value) == -1 || s == NULL)
        errx(1, "Out of memory");
    return s;
@@ -426,7 +428,7 @@ main(int argc, char **argv)
         */
        for (i = 0; ret2 == 0; i++) {
            hx509_san_type san_type;
-            char *feature = NULL;
+            const char *feature = NULL;
            char *san = NULL;
            int granted;

@@ -454,7 +456,7 @@ main(int argc, char **argv)

        /* Check partial approval of EKUs */
        for (i = 0; ret2 == 0; i++) {
-            char *feature = NULL;
+            const char *feature = NULL;
            char *eku = NULL;
            int granted;