Merge branch 'master' into lukeh/moonshot

Conflicts:
	lib/gssapi/krb5/external.c
	lib/libedit/src/vi.c

lib/krb5/Makefile.am

@@ -42,7 +42,8 @@ TESTS =						\
 	test_princ				\
 	test_pkinit_dh2key			\
 	test_pknistkdf				\
-	test_time
+	test_time				\
+	test_x500
 
 check_DATA = test_config_strings.out
 
@@ -236,7 +237,7 @@ if versionscript
 libkrb5_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 endif
 
-$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
+$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS) $(librfc3961_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h
 
 librfc3961_la_SOURCES =				\
 	crc.c					\
@@ -329,7 +330,7 @@ dist_include_HEADERS = \
 	krb5-private.h \
 	krb5_ccapi.h
 
-nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h 
+nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h
 
 # XXX use nobase_include_HEADERS = krb5/locate_plugin.h
 krb5dir = $(includedir)/krb5
@@ -347,7 +348,7 @@ CLEANFILES = \
 	heim_err.c heim_err.h \
 	k524_err.c k524_err.h
 
-$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h crypto.h
+$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h
 
 test_config_strings.out: test_config_strings.cfg
 	$(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out

lib/krb5/acache.c

@@ -78,7 +78,7 @@ static const struct {
 static krb5_error_code
 translate_cc_error(krb5_context context, cc_int32 error)
 {
-    int i;
+    size_t i;
     krb5_clear_error_message(context);
     for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++)
 	if (cc_errors[i].error == error)
@@ -337,7 +337,7 @@ make_ccred_from_cred(krb5_context context,
 		     cc_credentials_v5_t *cred)
 {
     krb5_error_code ret;
-    int i;
+    size_t i;
 
     memset(cred, 0, sizeof(*cred));
 
@@ -1114,7 +1114,9 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
     acc_move,
     acc_get_default_name,
     acc_set_default,
-    acc_lastchange
+    acc_lastchange,
+    NULL,
+    NULL,
 };
 
 #endif

lib/krb5/addr_families.c

@@ -354,7 +354,7 @@ ipv6_print_addr (const krb5_address *addr, char *str, size_t len)
     if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL)
 	{
 	    /* XXX this is pretty ugly, but better than abort() */
-	    int i;
+	    size_t i;
 	    unsigned char *p = addr->address.data;
 	    buf[0] = '\0';
 	    for(i = 0; i < addr->address.length; i++) {
@@ -727,34 +727,78 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len)
 }
 
 static struct addr_operations at[] = {
-    {AF_INET,	KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
-     ipv4_sockaddr2addr,
-     ipv4_sockaddr2port,
-     ipv4_addr2sockaddr,
-     ipv4_h_addr2sockaddr,
-     ipv4_h_addr2addr,
-     ipv4_uninteresting, ipv4_is_loopback, ipv4_anyaddr, ipv4_print_addr,
-     ipv4_parse_addr, NULL, NULL, NULL, ipv4_mask_boundary },
+    {
+	AF_INET,	KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
+	ipv4_sockaddr2addr,
+	ipv4_sockaddr2port,
+	ipv4_addr2sockaddr,
+	ipv4_h_addr2sockaddr,
+	ipv4_h_addr2addr,
+	ipv4_uninteresting,
+	ipv4_is_loopback,
+	ipv4_anyaddr,
+	ipv4_print_addr,
+	ipv4_parse_addr,
+	NULL,
+	NULL,
+	NULL,
+     ipv4_mask_boundary
+    },
 #ifdef HAVE_IPV6
-    {AF_INET6,	KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
-     ipv6_sockaddr2addr,
-     ipv6_sockaddr2port,
-     ipv6_addr2sockaddr,
-     ipv6_h_addr2sockaddr,
-     ipv6_h_addr2addr,
-     ipv6_uninteresting, ipv6_is_loopback, ipv6_anyaddr, ipv6_print_addr,
-     ipv6_parse_addr, NULL, NULL, NULL, ipv6_mask_boundary } ,
+    {
+	AF_INET6,	KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
+	ipv6_sockaddr2addr,
+	ipv6_sockaddr2port,
+	ipv6_addr2sockaddr,
+	ipv6_h_addr2sockaddr,
+	ipv6_h_addr2addr,
+	ipv6_uninteresting,
+	ipv6_is_loopback,
+	ipv6_anyaddr,
+	ipv6_print_addr,
+	ipv6_parse_addr,
+	NULL,
+	NULL,
+	NULL,
+	ipv6_mask_boundary
+    } ,
 #endif
 #ifndef HEIMDAL_SMALLER
     /* fake address type */
-    {KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange),
-     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-     arange_print_addr, arange_parse_addr,
-     arange_order_addr, arange_free, arange_copy },
+    {
+	KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange),
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	arange_print_addr,
+	arange_parse_addr,
+	arange_order_addr,
+	arange_free,
+	arange_copy,
+	NULL
+    },
 #endif
-    {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0,
-     NULL, NULL, NULL, NULL, NULL, NULL,
-     NULL, NULL, addrport_print_addr, NULL, NULL, NULL, NULL }
+    {
+	KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	addrport_print_addr,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+    }
 };
 
 static int num_addrs = sizeof(at) / sizeof(at[0]);
@@ -777,7 +821,7 @@ find_af(int af)
 }
 
 static struct addr_operations *
-find_atype(int atype)
+find_atype(krb5_address_type atype)
 {
     struct addr_operations *a;
 
@@ -1067,17 +1111,17 @@ krb5_print_address (const krb5_address *addr,
     if (a == NULL || a->print_addr == NULL) {
 	char *s;
 	int l;
-	int i;
+	size_t i;
 
 	s = str;
 	l = snprintf(s, len, "TYPE_%d:", addr->addr_type);
-	if (l < 0 || l >= len)
+	if (l < 0 || (size_t)l >= len)
 	    return EINVAL;
 	s += l;
 	len -= l;
 	for(i = 0; i < addr->address.length; i++) {
 	    l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]);
-	    if (l < 0 || l >= len)
+	    if (l < 0 || (size_t)l >= len)
 		return EINVAL;
 	    len -= l;
 	    s += l;
@@ -1263,7 +1307,7 @@ krb5_address_search(krb5_context context,
 		    const krb5_address *addr,
 		    const krb5_addresses *addrlist)
 {
-    int i;
+    size_t i;
 
     for (i = 0; i < addrlist->len; ++i)
 	if (krb5_address_compare (context, addr, &addrlist->val[i]))
@@ -1311,7 +1355,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_addresses(krb5_context context,
 		    krb5_addresses *addresses)
 {
-    int i;
+    size_t i;
     for(i = 0; i < addresses->len; i++)
 	krb5_free_address(context, &addresses->val[i]);
     free(addresses->val);
@@ -1362,7 +1406,7 @@ krb5_copy_addresses(krb5_context context,
 		    const krb5_addresses *inaddr,
 		    krb5_addresses *outaddr)
 {
-    int i;
+    size_t i;
     ALLOC_SEQ(outaddr, inaddr->len);
     if(inaddr->len > 0 && outaddr->val == NULL)
 	return ENOMEM;
@@ -1391,7 +1435,7 @@ krb5_append_addresses(krb5_context context,
 {
     krb5_address *tmp;
     krb5_error_code ret;
-    int i;
+    size_t i;
     if(source->len > 0) {
 	tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp));
 	if(tmp == NULL) {

lib/krb5/auth_context.c

@@ -262,6 +262,7 @@ krb5_auth_con_getaddrs(krb5_context context,
     return 0;
 }
 
+/* coverity[+alloc : arg-*2] */
 static krb5_error_code
 copy_key(krb5_context context,
 	 krb5_keyblock *in,
@@ -289,6 +290,7 @@ krb5_auth_con_getlocalsubkey(krb5_context context,
     return copy_key(context, auth_context->local_subkey, keyblock);
 }
 
+/* coverity[+alloc : arg-*2] */ 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getremotesubkey(krb5_context context,
 			      krb5_auth_context auth_context,

lib/krb5/changepw.c

@@ -276,7 +276,7 @@ process_reply (krb5_context context,
 {
     krb5_error_code ret;
     u_char reply[1024 * 3];
-    ssize_t len;
+    size_t len;
     uint16_t pkt_len, pkt_ver;
     krb5_data ap_rep_data;
     int save_errno;
@@ -328,7 +328,7 @@ process_reply (krb5_context context,
 
     if (len < 6) {
 	str2data (result_string, "server %s sent to too short message "
-		  "(%ld bytes)", host, (long)len);
+		  "(%zu bytes)", host, len);
 	*result_code = KRB5_KPASSWD_MALFORMED;
 	return 0;
     }
@@ -496,7 +496,7 @@ static struct kpwd_proc {
 	chgpw_send_request,
 	process_reply
     },
-    { NULL }
+    { NULL, 0, NULL, NULL }
 };
 
 /*

lib/krb5/config_file.c

@@ -63,7 +63,7 @@ config_fgets(char *str, size_t len, struct fileptr *ptr)
 	p = ptr->s + strcspn(ptr->s, "\n");
 	if(*p == '\n')
 	    p++;
-	l = min(len, p - ptr->s);
+	l = min(len, (size_t)(p - ptr->s));
 	if(len > 0) {
 	    memcpy(str, ptr->s, l);
 	    str[l] = '\0';
@@ -91,7 +91,7 @@ _krb5_config_get_entry(krb5_config_section **parent, const char *name, int type)
 
     for(q = parent; *q != NULL; q = &(*q)->next)
 	if(type == krb5_config_list &&
-	   type == (*q)->type &&
+	   (unsigned)type == (*q)->type &&
 	   strcmp(name, (*q)->name) == 0)
 	    return *q;
     *q = calloc(1, sizeof(**q));
@@ -635,7 +635,7 @@ vget_next(krb5_context context,
     const char *p = va_arg(args, const char *);
     while(b != NULL) {
 	if(strcmp(b->name, name) == 0) {
-	    if(b->type == type && p == NULL) {
+	    if(b->type == (unsigned)type && p == NULL) {
 		*pointer = b;
 		return b->u.generic;
 	    } else if(b->type == krb5_config_list && p != NULL) {
@@ -675,7 +675,7 @@ _krb5_config_vget_next (krb5_context context,
     /* we were called again, so just look for more entries with the
        same name and type */
     for (b = (*pointer)->next; b != NULL; b = b->next) {
-	if(strcmp(b->name, (*pointer)->name) == 0 && b->type == type) {
+	if(strcmp(b->name, (*pointer)->name) == 0 && b->type == (unsigned)type) {
 	    *pointer = b;
 	    return b->u.generic;
 	}
@@ -865,7 +865,7 @@ krb5_config_get_string_default (krb5_context context,
 }
 
 static char *
-next_component_string(char * begin, char * delims, char **state)
+next_component_string(char * begin, const char * delims, char **state)
 {
     char * end;
 

lib/krb5/crypto-des.c

@@ -77,7 +77,9 @@ static struct _krb5_key_type keytype_des_old = {
     krb5_DES_random_key,
     krb5_DES_schedule_old,
     _krb5_des_salt,
-    krb5_DES_random_to_key
+    krb5_DES_random_to_key,
+    NULL,
+    NULL
 };
 
 static struct _krb5_key_type keytype_des = {

lib/krb5/crypto-evp.c

@@ -98,7 +98,7 @@ _krb5_evp_encrypt_cts(krb5_context context,
 {
     size_t i, blocksize;
     struct _krb5_evp_schedule *ctx = key->schedule->data;
-    char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
+    unsigned char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
     EVP_CIPHER_CTX *c;
     unsigned char *p;
 
@@ -142,7 +142,7 @@ _krb5_evp_encrypt_cts(krb5_context context,
 	if (ivec)
 	    memcpy(ivec, p, blocksize);
     } else {
-	char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH];
+	unsigned char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH];
 
 	p = data;
 	if (len > blocksize * 2) {

lib/krb5/crypto-pk.c

@@ -192,6 +192,8 @@ encode_otherinfo(krb5_context context,
     return 0;
 }
 
+
+
 krb5_error_code
 _krb5_pk_kdf(krb5_context context,
 	     const struct AlgorithmIdentifier *ai,
@@ -211,10 +213,17 @@ _krb5_pk_kdf(krb5_context context,
     size_t keylen, offset;
     uint32_t counter;
     unsigned char *keydata;
-    unsigned char shaoutput[SHA_DIGEST_LENGTH];
+    unsigned char shaoutput[SHA512_DIGEST_LENGTH];
+    const EVP_MD *md;
     EVP_MD_CTX *m;
 
-    if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) != 0) {
+    if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) == 0) {
+        md = EVP_sha1();
+    } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha256, &ai->algorithm) == 0) {
+        md = EVP_sha256();
+    } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha512, &ai->algorithm) == 0) {
+        md = EVP_sha512();
+    } else {
 	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
 			       N_("KDF not supported", ""));
 	return KRB5_PROG_ETYPE_NOSUPP;
@@ -264,7 +273,7 @@ _krb5_pk_kdf(krb5_context context,
     do {
 	unsigned char cdata[4];
 
-	EVP_DigestInit_ex(m, EVP_sha1(), NULL);
+	EVP_DigestInit_ex(m, md, NULL);
 	_krb5_put_int(cdata, counter, 4);
 	EVP_DigestUpdate(m, cdata, 4);
 	EVP_DigestUpdate(m, dhdata, dhsize);
@@ -274,9 +283,9 @@ _krb5_pk_kdf(krb5_context context,
 
 	memcpy((unsigned char *)keydata + offset,
 	       shaoutput,
-	       min(keylen - offset, sizeof(shaoutput)));
+	       min(keylen - offset, EVP_MD_CTX_size(m)));
 
-	offset += sizeof(shaoutput);
+	offset += EVP_MD_CTX_size(m);
 	counter++;
     } while(offset < keylen);
     memset(shaoutput, 0, sizeof(shaoutput));

lib/krb5/crypto.c

@@ -180,7 +180,7 @@ _krb5_internal_hmac(krb5_context context,
     unsigned char *ipad, *opad;
     unsigned char *key;
     size_t key_len;
-    int i;
+    size_t i;
 
     ipad = malloc(cm->blocksize + len);
     if (ipad == NULL)
@@ -311,7 +311,7 @@ get_checksum_key(krb5_context context,
     if(ct->flags & F_DERIVED)
 	ret = _get_derived_key(context, crypto, usage, key);
     else if(ct->flags & F_VARIANT) {
-	int i;
+	size_t i;
 
 	*key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */);
 	if(*key == NULL) {
@@ -1160,9 +1160,9 @@ decrypt_internal_special(krb5_context context,
 }
 
 static krb5_crypto_iov *
-find_iv(krb5_crypto_iov *data, int num_data, int type)
+find_iv(krb5_crypto_iov *data, size_t num_data, unsigned type)
 {
-    int i;
+    size_t i;
     for (i = 0; i < num_data; i++)
 	if (data[i].flags == type)
 	    return &data[i];
@@ -1403,11 +1403,6 @@ krb5_decrypt_iov_ivec(krb5_context context,
     struct _krb5_encryption_type *et = crypto->et;
     krb5_crypto_iov *tiv, *hiv;
 
-    if (num_data < 0) {
-        krb5_clear_error_message(context);
-	return KRB5_CRYPTO_INTERNAL;
-    }
-
     if(!derived_crypto(context, crypto)) {
 	krb5_clear_error_message(context);
 	return KRB5_CRYPTO_INTERNAL;
@@ -1545,15 +1540,10 @@ krb5_create_checksum_iov(krb5_context context,
     Checksum cksum;
     krb5_crypto_iov *civ;
     krb5_error_code ret;
-    int i;
+    size_t i;
     size_t len;
     char *p, *q;
 
-    if (num_data < 0) {
-        krb5_clear_error_message(context);
-	return KRB5_CRYPTO_INTERNAL;
-    }
-
     if(!derived_crypto(context, crypto)) {
 	krb5_clear_error_message(context);
 	return KRB5_CRYPTO_INTERNAL;
@@ -1629,15 +1619,10 @@ krb5_verify_checksum_iov(krb5_context context,
     Checksum cksum;
     krb5_crypto_iov *civ;
     krb5_error_code ret;
-    int i;
+    size_t i;
     size_t len;
     char *p, *q;
 
-    if (num_data < 0) {
-        krb5_clear_error_message(context);
-	return KRB5_CRYPTO_INTERNAL;
-    }
-
     if(!derived_crypto(context, crypto)) {
 	krb5_clear_error_message(context);
 	return KRB5_CRYPTO_INTERNAL;
@@ -1730,7 +1715,7 @@ krb5_crypto_length_iov(krb5_context context,
 		       unsigned int num_data)
 {
     krb5_error_code ret;
-    int i;
+    size_t i;
 
     for (i = 0; i < num_data; i++) {
 	ret = krb5_crypto_length(context, crypto,

lib/krb5/digest.c

@@ -727,8 +727,10 @@ krb5_digest_request(krb5_context context,
 	ireq.u.digestRequest.type = digest->init.type;
     }
 
-    if (ireq.u.digestRequest.digest == NULL)
-	ireq.u.digestRequest.digest = "md5";
+    if (ireq.u.digestRequest.digest == NULL) {
+	static char md5[] = "md5";
+	ireq.u.digestRequest.digest = md5;
+    }
 
     ret = digest_request(context, realm, ccache,
 			 KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep);

lib/krb5/fcache.c

@@ -155,7 +155,7 @@ write_storage(krb5_context context, krb5_storage *sp, int fd)
 	return ret;
     }
     sret = write(fd, data.data, data.length);
-    ret = (sret != data.length);
+    ret = (sret != (ssize_t)data.length);
     krb5_data_free(&data);
     if (ret) {
 	ret = errno;
@@ -220,7 +220,7 @@ scrub_file (int fd)
         return errno;
     memset(buf, 0, sizeof(buf));
     while(pos > 0) {
-        ssize_t tmp = write(fd, buf, min(sizeof(buf), pos));
+        ssize_t tmp = write(fd, buf, min((off_t)sizeof(buf), pos));
 
 	if (tmp < 0)
 	    return errno;
@@ -334,11 +334,11 @@ fcc_gen_new(krb5_context context, krb5_ccache *id)
 
     fd = mkstemp(exp_file);
     if(fd < 0) {
-	int ret = errno;
-	krb5_set_error_message(context, ret, N_("mkstemp %s failed", ""), exp_file);
+	int xret = errno;
+	krb5_set_error_message(context, xret, N_("mkstemp %s failed", ""), exp_file);
 	free(f);
 	free(exp_file);
-	return ret;
+	return xret;
     }
     close(fd);
     f->filename = exp_file;

lib/krb5/get_cred.c

@@ -235,7 +235,7 @@ init_tgs_req (krb5_context context,
 	goto fail;
     }
     {
-	int i;
+	size_t i;
 	for (i = 0; i < padata->len; i++) {
 	    ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
 	    if (ret) {

lib/krb5/get_host_realm.c

@@ -109,7 +109,7 @@ dns_find_realm(krb5_context context,
 	domain++;
     for (i = 0; labels[i] != NULL; i++) {
 	ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain);
-	if(ret < 0 || ret >= sizeof(dom)) {
+	if(ret < 0 || (size_t)ret >= sizeof(dom)) {
 	    if (config_labels)
 		krb5_config_free_strings(config_labels);
 	    return -1;

lib/krb5/get_in_tkt.c

@@ -103,7 +103,7 @@ add_padata(krb5_context context,
     PA_DATA *pa2;
     krb5_salt salt2;
     krb5_enctype *ep;
-    int i;
+    size_t i;
 
     if(salt == NULL) {
 	/* default to standard salt */
@@ -247,7 +247,7 @@ init_as_req (krb5_context context,
     a->req_body.additional_tickets = NULL;
 
     if(preauth != NULL) {
-	int i;
+	size_t i;
 	ALLOC(a->padata, 1);
 	if(a->padata == NULL) {
 	    ret = ENOMEM;
@@ -258,7 +258,7 @@ init_as_req (krb5_context context,
 	a->padata->len = 0;
 	for(i = 0; i < preauth->len; i++) {
 	    if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
-		int j;
+		size_t j;
 
 		for(j = 0; j < preauth->val[i].info.len; j++) {
 		    krb5_salt *sp = &salt;
@@ -331,7 +331,7 @@ set_ptypes(krb5_context context,
 
     if(error->e_data) {
 	METHOD_DATA md;
-	int i;
+	size_t i;
 	decode_METHOD_DATA(error->e_data->data,
 			   error->e_data->length,
 			   &md,

lib/krb5/init_creds_pw.c

@@ -759,7 +759,7 @@ pa_etype_info2(krb5_context context,
     krb5_error_code ret;
     ETYPE_INFO2 e;
     size_t sz;
-    int i, j;
+    size_t i, j;
 
     memset(&e, 0, sizeof(e));
     ret = decode_ETYPE_INFO2(data->data, data->length, &e, &sz);
@@ -808,7 +808,7 @@ pa_etype_info(krb5_context context,
     krb5_error_code ret;
     ETYPE_INFO e;
     size_t sz;
-    int i, j;
+    size_t i, j;
 
     memset(&e, 0, sizeof(e));
     ret = decode_ETYPE_INFO(data->data, data->length, &e, &sz);
@@ -889,9 +889,9 @@ static struct pa_info pa_prefs[] = {
 };
 
 static PA_DATA *
-find_pa_data(const METHOD_DATA *md, int type)
+find_pa_data(const METHOD_DATA *md, unsigned type)
 {
-    int i;
+    size_t i;
     if (md == NULL)
 	return NULL;
     for (i = 0; i < md->len; i++)
@@ -908,7 +908,7 @@ process_pa_info(krb5_context context,
 		METHOD_DATA *md)
 {
     struct pa_info_data *p = NULL;
-    int i;
+    size_t i;
 
     for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) {
 	PA_DATA *pa = find_pa_data(md, pa_prefs[i].type);
@@ -989,7 +989,7 @@ add_enc_ts_padata(krb5_context context,
     krb5_error_code ret;
     krb5_salt salt2;
     krb5_enctype *ep;
-    int i;
+    size_t i;
 
     if(salt == NULL) {
 	/* default to standard salt */

lib/krb5/kcm.c

@@ -1155,7 +1155,9 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = {
     kcm_move,
     kcm_get_default_name_api,
     kcm_set_default,
-    kcm_lastchange
+    kcm_lastchange,
+    NULL,
+    NULL
 };
 
 

lib/krb5/keytab_file.c

@@ -101,7 +101,7 @@ krb5_kt_store_data(krb5_context context,
     if(ret < 0)
 	return ret;
     ret = krb5_storage_write(sp, data.data, data.length);
-    if(ret != data.length){
+    if(ret != (int)data.length){
 	if(ret < 0)
 	    return errno;
 	return KRB5_KT_END;
@@ -119,7 +119,7 @@ krb5_kt_store_string(krb5_storage *sp,
     if(ret < 0)
 	return ret;
     ret = krb5_storage_write(sp, data, len);
-    if(ret != len){
+    if(ret != (int)len){
 	if(ret < 0)
 	    return errno;
 	return KRB5_KT_END;
@@ -182,7 +182,7 @@ krb5_kt_ret_principal(krb5_context context,
 		      krb5_storage *sp,
 		      krb5_principal *princ)
 {
-    int i;
+    size_t i;
     int ret;
     krb5_principal p;
     int16_t len;
@@ -262,7 +262,7 @@ krb5_kt_store_principal(krb5_context context,
 			krb5_storage *sp,
 			krb5_principal p)
 {
-    int i;
+    size_t i;
     int ret;
 
     if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
@@ -699,7 +699,7 @@ fkt_add_entry(krb5_context context,
 	}
 	if(len < 0) {
 	    len = -len;
-	    if(len >= keytab.length) {
+	    if(len >= (int)keytab.length) {
 		krb5_storage_seek(sp, -4, SEEK_CUR);
 		break;
 	    }
@@ -749,8 +749,9 @@ fkt_remove_entry(krb5_context context,
 	    krb5_store_int32(cursor.sp, -len);
 	    memset(buf, 0, sizeof(buf));
 	    while(len > 0) {
-		krb5_storage_write(cursor.sp, buf, min(len, sizeof(buf)));
-		len -= min(len, sizeof(buf));
+		krb5_storage_write(cursor.sp, buf,
+		    min((size_t)len, sizeof(buf)));
+		len -= min((size_t)len, sizeof(buf));
 	    }
 	}
 	krb5_kt_free_entry(context, &e);

lib/krb5/krb5.conf.5

@@ -363,7 +363,7 @@ manual page for a list of defined destinations.
 .Bl -tag -width "xxx" -offset indent
 .It Li dbname Li = Va DATABASENAME
 Use this database for this realm.
-See the info documetation how to configure diffrent database backends.
+See the info documetation how to configure different database backends.
 .It Li realm Li = Va REALM
 Specifies the realm that will be stored in this database.
 It realm isn't set, it will used as the default database, there can

lib/krb5/krb524_convert_creds_kdc.3

@@ -66,7 +66,7 @@ to Kerberos 4 credential that is stored in
 .Fa credentials .
 .Pp
 .Fn krb524_convert_creds_kdc_ccache
-is diffrent from
+is different from
 .Fn krb524_convert_creds_kdc
 in that way that if
 .Fa in_cred

lib/krb5/krb5_c_make_checksum.3

@@ -279,14 +279,14 @@ is a keyed checksum type.
 .Fn krb5_c_is_coll_proof_cksum
 returns true if
 .Fa ctype
-is a collition proof checksum type.
+is a collision proof checksum type.
 .Pp
 .Fn krb5_c_keylengths
-return the minimum length (
-.Fa inlength )
+return the minimum length
+.Fa ( inlength )
 bytes needed to create a key and the
-length (
-.Fa keylength )
+length
+.Fa ( keylength )
 of the resulting key
 for the
 .Fa enctype .

lib/krb5/krb5_get_in_cred.3

@@ -169,7 +169,7 @@ but are more specialized.
 .Nm krb5_get_in_tkt_with_password
 uses the clients password to authenticate.
 If the password argument is
-.DV NULL
+.Dv NULL
 the user user queried with the default password query function.
 .Pp
 .Nm krb5_get_in_tkt_with_keytab

lib/krb5/krb5_init_context.3

@@ -219,7 +219,7 @@ error-code handler
 to the specified
 .Fa context .
 The error handler must generated by the the re-rentrant version of the
-.Xr compile_et 3
+.Xr compile_et 1
 program.
 .Fn krb5_add_extra_addresses
 add a list of addresses that should be added when requesting tickets.

lib/krb5/krb5_is_thread_safe.3

@@ -50,7 +50,7 @@ returns
 if the library was compiled with with multithread support.
 If the library isn't compiled, the consumer have to use a global lock
 to make sure Kerboros functions are not called at the same time by
-diffrent threads.
+different threads.
 .\" .Sh EXAMPLE
 .\" .Sh BUGS
 .Sh SEE ALSO

lib/krb5/krb5_principal.3

@@ -155,12 +155,12 @@ takes an extra
 argument the following flags can be passed in
 .Bl -tag -width Ds
 .It Dv KRB5_PRINCIPAL_PARSE_NO_REALM
-requries the input string to be without a realm, and no realm is
+requires the input string to be without a realm, and no realm is
 stored in the
 .Fa principal
 return argument.
 .It Dv KRB5_PRINCIPAL_PARSE_REQUIRE_REALM
-requries the input string to with a realm.
+requires the input string to with a realm.
 .El
 .Pp
 .Fn krb5_unparse_name

lib/krb5/krb5_string_to_key.3

@@ -114,7 +114,7 @@ The string to key functions convert a string to a kerberos key.
 .Pp
 .Fn krb5_string_to_key_data_salt_opaque
 is the function that does all the work, the rest of the functions are
-just wrapers around
+just wrappers around
 .Fn krb5_string_to_key_data_salt_opaque
 that calls it with default values.
 .Pp

lib/krb5/misc.c

@@ -42,7 +42,7 @@ _krb5_s4u2self_to_checksumdata(krb5_context context,
     krb5_ssize_t ssize;
     krb5_storage *sp;
     size_t size;
-    int i;
+    size_t i;
 
     sp = krb5_storage_emem();
     if (sp == NULL) {
@@ -56,20 +56,20 @@ _krb5_s4u2self_to_checksumdata(krb5_context context,
     for (i = 0; i < self->name.name_string.len; i++) {
 	size = strlen(self->name.name_string.val[i]);
 	ssize = krb5_storage_write(sp, self->name.name_string.val[i], size);
-	if (ssize != size) {
+	if (ssize != (krb5_ssize_t)size) {
 	    ret = ENOMEM;
 	    goto out;
 	}
     }
     size = strlen(self->realm);
     ssize = krb5_storage_write(sp, self->realm, size);
-    if (ssize != size) {
+    if (ssize != (krb5_ssize_t)size) {
 	ret = ENOMEM;
 	goto out;
     }
     size = strlen(self->auth);
     ssize = krb5_storage_write(sp, self->auth, size);
-    if (ssize != size) {
+    if (ssize != (krb5_ssize_t)size) {
 	ret = ENOMEM;
 	goto out;
     }

lib/krb5/mk_error.c

@@ -75,7 +75,8 @@ krb5_mk_error(krb5_context context,
 	msg.realm = server->realm;
 	msg.sname = server->name;
     }else{
-	msg.realm = "<unspecified realm>";
+	static char unspec[] = "<unspecified realm>";
+	msg.realm = unspec;
     }
     if(client){
 	msg.crealm = &client->realm;

lib/krb5/pac.c

@@ -464,7 +464,7 @@ verify_checksum(krb5_context context,
 	goto out;
     }
     ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
-    if (ret != cksum.checksum.length) {
+    if (ret != (int)cksum.checksum.length) {
 	ret = EINVAL;
 	krb5_set_error_message(context, ret, "PAC checksum missing checksum");
 	goto out;
@@ -546,7 +546,7 @@ create_checksum(krb5_context context,
      * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
      * for Microsoft's explaination */
 
-    if (cksumtype == CKSUMTYPE_HMAC_MD5) {
+    if (cksumtype == (uint32_t)CKSUMTYPE_HMAC_MD5) {
 	ret = HMAC_MD5_any_checksum(context, key, data, datalen,
 				    KRB5_KU_OTHER_CKSUM, &cksum);
     } else {
@@ -748,7 +748,7 @@ build_logon_name(krb5_context context,
 
     ret = krb5_storage_write(sp, s2, len * 2);
     free(s2);
-    if (ret != len * 2) {
+    if (ret != (int)(len * 2)) {
 	ret = krb5_enomem(context);
 	goto out;
     }
@@ -932,7 +932,8 @@ _krb5_pac_sign(krb5_context context,
     size_t server_size, priv_size;
     uint32_t server_offset = 0, priv_offset = 0;
     uint32_t server_cksumtype = 0, priv_cksumtype = 0;
-    int i, num = 0;
+    int num = 0;
+    size_t i;
     krb5_data logon, d;
 
     krb5_data_zero(&logon);
@@ -1049,7 +1050,7 @@ _krb5_pac_sign(krb5_context context,
 
 	    end += len;
 	    e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
-	    if (end != e) {
+	    if ((int32_t)end != e) {
 		CHECK(ret, fill_zeros(context, spdata, e - end), out);
 	    }
 	    end = e;
@@ -1066,7 +1067,7 @@ _krb5_pac_sign(krb5_context context,
 	goto out;
     }
     ret = krb5_storage_write(sp, d.data, d.length);
-    if (ret != d.length) {
+    if (ret != (int)d.length) {
 	krb5_data_free(&d);
 	ret = krb5_enomem(context);
 	goto out;

lib/krb5/padata.c

@@ -36,8 +36,8 @@
 KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL
 krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx)
 {
-    for(; *idx < len; (*idx)++)
-	if(val[*idx].padata_type == type)
+    for(; *idx < (int)len; (*idx)++)
+	if(val[*idx].padata_type == (unsigned)type)
 	    return val + *idx;
     return NULL;
 }

lib/krb5/pkinit.c

@@ -188,7 +188,8 @@ find_cert(krb5_context context, struct krb5_pk_identity *id,
 	{ "MS EKU" },
 	{ "any (or no)" }
     };
-    int i, ret, start = 1;
+    int ret;
+    size_t i, start;
     unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 };
     const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids };
 
@@ -536,7 +537,7 @@ build_auth_pack(krb5_context context,
 #ifdef HAVE_OPENSSL
 	    ECParameters ecp;
 	    unsigned char *p;
-	    int len;
+	    int xlen;
 
 	    /* copy in public key, XXX find the best curve that the server support or use the clients curve if possible */
 
@@ -551,11 +552,11 @@ build_auth_pack(krb5_context context,
 		free_ECParameters(&ecp);
 		return ENOMEM;
 	    }
-	    ASN1_MALLOC_ENCODE(ECParameters, p, len, &ecp, &size, ret);
+	    ASN1_MALLOC_ENCODE(ECParameters, p, xlen, &ecp, &size, ret);
 	    free_ECParameters(&ecp);
 	    if (ret)
 		return ret;
-	    if (size != len)
+	    if ((int)size != xlen)
 		krb5_abortx(context, "asn1 internal error");
 	    
 	    a->clientPublicValue->algorithm.parameters->data = p;
@@ -578,18 +579,18 @@ build_auth_pack(krb5_context context,
 
 	    /* encode onto dhkey */
 
-	    len = i2o_ECPublicKey(ctx->u.eckey, NULL);
-	    if (len <= 0)
+	    xlen = i2o_ECPublicKey(ctx->u.eckey, NULL);
+	    if (xlen <= 0)
 		abort();
 
-	    dhbuf.data = malloc(len);
+	    dhbuf.data = malloc(xlen);
 	    if (dhbuf.data == NULL)
 		abort();
-	    dhbuf.length = len;
+	    dhbuf.length = xlen;
 	    p = dhbuf.data;
 
-	    len = i2o_ECPublicKey(ctx->u.eckey, &p);
-	    if (len <= 0)
+	    xlen = i2o_ECPublicKey(ctx->u.eckey, &p);
+	    if (xlen <= 0)
 		abort();
 
 	    /* XXX verify that this is right with RFC3279 */
@@ -607,7 +608,8 @@ build_auth_pack(krb5_context context,
 	if (a->supportedCMSTypes == NULL)
 	    return ENOMEM;
 
-	ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, NULL,
+	ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL,
+				     ctx->id->cert,
 				     &a->supportedCMSTypes->val,
 				     &a->supportedCMSTypes->len);
 	if (ret)
@@ -968,7 +970,7 @@ get_reply_key_win(krb5_context context,
 	return ret;
     }
 
-    if (key_pack.nonce != nonce) {
+    if ((unsigned)key_pack.nonce != nonce) {
 	krb5_set_error_message(context, ret,
 			       N_("PKINIT enckey nonce is wrong", ""));
 	free_ReplyKeyPack_Win2k(&key_pack);
@@ -1081,7 +1083,7 @@ pk_verify_host(krb5_context context,
     }
     if (ctx->require_krbtgt_otherName) {
 	hx509_octet_string_list list;
-	int i;
+	size_t i;
 
 	ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx,
 						       host->cert,
@@ -1433,7 +1435,7 @@ pk_rd_pa_reply_dh(krb5_context context,
 				   N_("PKINIT: Can't compute Diffie-Hellman key", ""));
 	    goto out;
 	}
-	if (dh_gen_keylen < size) {
+	if (dh_gen_keylen < (int)size) {
 	    size -= dh_gen_keylen;
 	    memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
 	    memset(dh_gen_key, 0, size);

lib/krb5/principal.c

@@ -426,7 +426,7 @@ unparse_name_fixed(krb5_context context,
 		   int flags)
 {
     size_t idx = 0;
-    int i;
+    size_t i;
     int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0;
     int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0;
     int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0;
@@ -549,7 +549,7 @@ unparse_name(krb5_context context,
 	     int flags)
 {
     size_t len = 0, plen;
-    int i;
+    size_t i;
     krb5_error_code ret;
     /* count length */
     if (princ_realm(principal)) {
@@ -917,7 +917,7 @@ krb5_principal_compare_any_realm(krb5_context context,
 				 krb5_const_principal princ1,
 				 krb5_const_principal princ2)
 {
-    int i;
+    size_t i;
     if(princ_num_comp(princ1) != princ_num_comp(princ2))
 	return FALSE;
     for(i = 0; i < princ_num_comp(princ1); i++){
@@ -932,7 +932,7 @@ _krb5_principal_compare_PrincipalName(krb5_context context,
 				      krb5_const_principal princ1,
 				      PrincipalName *princ2)
 {
-    int i;
+    size_t i;
     if (princ_num_comp(princ1) != princ2->name_string.len)
 	return FALSE;
     for(i = 0; i < princ_num_comp(princ1); i++){
@@ -1001,7 +1001,7 @@ krb5_principal_match(krb5_context context,
 		     krb5_const_principal princ,
 		     krb5_const_principal pattern)
 {
-    int i;
+    size_t i;
     if(princ_num_comp(princ) != princ_num_comp(pattern))
 	return FALSE;
     if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0)
@@ -1096,7 +1096,7 @@ static const struct {
     { "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID },
     { "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL },
     { "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID },
-    { NULL }
+    { NULL, 0 }
 };
 
 /**

lib/krb5/rd_cred.c

@@ -65,7 +65,7 @@ krb5_rd_cred(krb5_context context,
     EncKrbCredPart enc_krb_cred_part;
     krb5_data enc_krb_cred_part_data;
     krb5_crypto crypto;
-    int i;
+    size_t i;
 
     memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
 

lib/krb5/rd_req.c

@@ -135,7 +135,7 @@ static krb5_error_code
 check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
 {
     char **realms;
-    unsigned int num_realms;
+    unsigned int num_realms, n;
     krb5_error_code ret;
 	
     /*
@@ -161,6 +161,8 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
     ret = krb5_check_transited(context, enc->crealm,
 			       ticket->realm,
 			       realms, num_realms, NULL);
+    for (n = 0; n < num_realms; n++)
+	free(realms[n]);
     free(realms);
     return ret;
 }
@@ -466,7 +468,7 @@ krb5_verify_ap_req2(krb5_context context,
     ac->keytype = ETYPE_NULL;
 
     if (etypes.val) {
-	int i;
+	size_t i;
 
 	for (i = 0; i < etypes.len; i++) {
 	    if (krb5_enctype_valid(context, etypes.val[i]) == 0) {

lib/krb5/salt-des.c

@@ -52,7 +52,7 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw,
 				 DES_cblock *key)
 {
     char  password[8+1];	/* crypt is limited to 8 chars anyway */
-    int   i;
+    size_t   i;
 
     for(i = 0; i < 8; i++) {
 	char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^
@@ -89,7 +89,7 @@ krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw,
     memcpy(password, pw.data, min(pw.length, sizeof(password)));
     if(pw.length < sizeof(password)) {
 	int len = min(cell.length, sizeof(password) - pw.length);
-	int i;
+	size_t i;
 
 	memcpy(password + pw.length, cell.data, len);
 	for (i = pw.length; i < pw.length + len; ++i)
@@ -138,7 +138,7 @@ static void
 DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key)
 {
     DES_key_schedule schedule;
-    int i;
+    size_t i;
     int reverse = 0;
     unsigned char *p;
 

lib/krb5/salt.c

@@ -33,6 +33,7 @@
 
 #include "krb5_locl.h"
 
+/* coverity[+alloc : arg-*3] */
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_salttype_to_string (krb5_context context,
 			 krb5_enctype etype,
@@ -98,7 +99,7 @@ krb5_get_pw_salt(krb5_context context,
 		 krb5_salt *salt)
 {
     size_t len;
-    int i;
+    size_t i;
     krb5_error_code ret;
     char *p;
 

lib/krb5/send_to_kdc.c

@@ -88,7 +88,7 @@ recv_loop (krb5_socket_t fd,
 		 return 0;
 
 	     if (limit)
-		 nbytes = min(nbytes, limit - rep->length);
+		 nbytes = min((size_t)nbytes, limit - rep->length);
 
 	     tmp = realloc (rep->data, rep->length + nbytes);
 	     if (tmp == NULL) {
@@ -371,7 +371,7 @@ krb5_sendto (krb5_context context,
 {
      krb5_error_code ret;
      krb5_socket_t fd;
-     int i;
+     size_t i;
 
      krb5_data_zero(receive);
 
@@ -602,7 +602,7 @@ krb5_sendto_context(krb5_context context,
 	    type = KRB5_KRBHST_KDC;
     }
 
-    if (send_data->length > context->large_msg_size)
+    if ((int)send_data->length > context->large_msg_size)
 	ctx->flags |= KRB5_KRBHST_FLAGS_LARGE_MSG;
 
     /* loop until we get back a appropriate response */

lib/krb5/store-int.c

@@ -50,7 +50,7 @@ _krb5_get_int(void *buffer, unsigned long *value, size_t size)
 {
     unsigned char *p = buffer;
     unsigned long v = 0;
-    int i;
+    size_t i;
     for (i = 0; i < size; i++)
 	v = (v << 8) + p[i];
     *value = v;

lib/krb5/store-int.h

@@ -43,6 +43,7 @@ struct krb5_storage_data {
     void (*free)(struct krb5_storage_data*);
     krb5_flags flags;
     int eof_code;
+    size_t max_alloc;
 };
 
 #endif /* __store_int_h__ */

lib/krb5/store.c

@@ -119,6 +119,41 @@ krb5_storage_get_byteorder(krb5_storage *sp)
     return sp->flags & KRB5_STORAGE_BYTEORDER_MASK;
 }
 
+/**
+ * Set the max alloc value
+ *
+ * @param sp the storage buffer set the max allow for
+ * @param size maximum size to allocate, use 0 to remove limit
+ *
+ * @ingroup krb5_storage
+ */
+
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+krb5_storage_set_max_alloc(krb5_storage *sp, size_t size)
+{
+    sp->max_alloc = size;
+}
+
+/* don't allocate unresonable amount of memory */
+static krb5_error_code
+size_too_large(krb5_storage *sp, size_t size)
+{
+    if (sp->max_alloc && sp->max_alloc < size)
+	return HEIM_ERR_TOO_BIG;
+    return 0;
+}
+
+static krb5_error_code
+size_too_large_num(krb5_storage *sp, size_t count, size_t size)
+{
+    if (sp->max_alloc == 0 || size == 0)
+	return 0;
+    size = sp->max_alloc / size;
+    if (size < count)
+	return HEIM_ERR_TOO_BIG;
+    return 0;
+}
+
 /**
  * Seek to a new offset.
  *
@@ -262,10 +297,11 @@ krb5_storage_to_data(krb5_storage *sp, krb5_data *data)
     pos = sp->seek(sp, 0, SEEK_CUR);
     if (pos < 0)
 	return HEIM_ERR_NOT_SEEKABLE;
-    size = (size_t)sp->seek(sp, 0, SEEK_END);
-    if (size > (size_t)-1)
-	return HEIM_ERR_TOO_BIG;
-    ret = krb5_data_alloc (data, size);
+    size = sp->seek(sp, 0, SEEK_END);
+    ret = size_too_large(sp, size);
+    if (ret)
+	return ret;
+    ret = krb5_data_alloc(data, size);
     if (ret) {
 	sp->seek(sp, pos, SEEK_SET);
 	return ret;
@@ -290,8 +326,10 @@ krb5_store_int(krb5_storage *sp,
 	return EINVAL;
     _krb5_put_int(v, value, len);
     ret = sp->store(sp, v, len);
-    if (ret != len)
-	return (ret<0)?errno:sp->eof_code;
+    if (ret < 0)
+	return errno;
+    if ((size_t)ret != len)
+	return sp->eof_code;
     return 0;
 }
 
@@ -346,8 +384,10 @@ krb5_ret_int(krb5_storage *sp,
     unsigned char v[4];
     unsigned long w;
     ret = sp->fetch(sp, v, len);
-    if(ret != len)
-	return (ret<0)?errno:sp->eof_code;
+    if (ret < 0)
+	return errno;
+    if ((size_t)ret != len)
+	return sp->eof_code;
     _krb5_get_int(v, &w, len);
     *value = w;
     return 0;
@@ -612,11 +652,10 @@ krb5_store_data(krb5_storage *sp,
     if(ret < 0)
 	return ret;
     ret = sp->store(sp, data.data, data.length);
-    if(ret != data.length){
-	if(ret < 0)
-	    return errno;
+    if(ret < 0)
+	return errno;
+    if((size_t)ret != data.length)
 	return sp->eof_code;
-    }
     return 0;
 }
 
@@ -641,6 +680,9 @@ krb5_ret_data(krb5_storage *sp,
     ret = krb5_ret_int32(sp, &size);
     if(ret)
 	return ret;
+    ret = size_too_large(sp, size);
+    if (ret)
+	return ret;
     ret = krb5_data_alloc (data, size);
     if (ret)
 	return ret;
@@ -722,12 +764,10 @@ krb5_store_stringz(krb5_storage *sp, const char *s)
     ssize_t ret;
 
     ret = sp->store(sp, s, len);
-    if(ret != len) {
-	if(ret < 0)
-	    return ret;
-	else
-	    return sp->eof_code;
-    }
+    if(ret < 0)
+	return ret;
+    if((size_t)ret != len)
+	return sp->eof_code;
     return 0;
 }
 
@@ -755,6 +795,9 @@ krb5_ret_stringz(krb5_storage *sp,
 	char *tmp;
 
 	len++;
+	ret = size_too_large(sp, len);
+	if (ret)
+	    break;
 	tmp = realloc (s, len);
 	if (tmp == NULL) {
 	    free (s);
@@ -782,12 +825,10 @@ krb5_store_stringnl(krb5_storage *sp, const char *s)
     ssize_t ret;
 
     ret = sp->store(sp, s, len);
-    if(ret != len) {
-	if(ret < 0)
-	    return ret;
-	else
-	    return sp->eof_code;
-    }
+    if(ret < 0)
+	return ret;
+    if((size_t)ret != len)
+	return sp->eof_code;
     ret = sp->store(sp, "\n", 1);
     if(ret != 1) {
 	if(ret < 0)
@@ -823,6 +864,9 @@ krb5_ret_stringnl(krb5_storage *sp,
 	}
 
 	len++;
+	ret = size_too_large(sp, len);
+	if (ret)
+	    break;
 	tmp = realloc (s, len);
 	if (tmp == NULL) {
 	    free (s);
@@ -860,7 +904,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_principal(krb5_storage *sp,
 		     krb5_const_principal p)
 {
-    int i;
+    size_t i;
     int ret;
 
     if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
@@ -923,6 +967,11 @@ krb5_ret_principal(krb5_storage *sp,
 	free(p);
 	return EINVAL;
     }
+    ret = size_too_large_num(sp, ncomp, sizeof(p->name.name_string.val[0]));
+    if (ret) {
+	free(p);
+	return ret;
+    }
     p->name.name_type = type;
     p->name.name_string.len = ncomp;
     ret = krb5_ret_string(sp, &p->realm);
@@ -930,7 +979,7 @@ krb5_ret_principal(krb5_storage *sp,
 	free(p);
 	return ret;
     }
-    p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val));
+    p->name.name_string.val = calloc(ncomp, sizeof(p->name.name_string.val[0]));
     if(p->name.name_string.val == NULL && ncomp != 0){
 	free(p->realm);
 	free(p);
@@ -1122,7 +1171,7 @@ krb5_ret_address(krb5_storage *sp, krb5_address *adr)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
 {
-    int i;
+    size_t i;
     int ret;
     ret = krb5_store_int32(sp, p.len);
     if(ret) return ret;
@@ -1147,12 +1196,14 @@ krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
 {
-    int i;
+    size_t i;
     int ret;
     int32_t tmp;
 
     ret = krb5_ret_int32(sp, &tmp);
     if(ret) return ret;
+    ret = size_too_large_num(sp, tmp, sizeof(adr->val[0]));
+    if (ret) return ret;
     adr->len = tmp;
     ALLOC(adr->val, adr->len);
     if (adr->val == NULL && adr->len != 0)
@@ -1179,7 +1230,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_authdata(krb5_storage *sp, krb5_authdata auth)
 {
     krb5_error_code ret;
-    int i;
+    size_t i;
     ret = krb5_store_int32(sp, auth.len);
     if(ret) return ret;
     for(i = 0; i < auth.len; i++){
@@ -1211,6 +1262,8 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth)
     int i;
     ret = krb5_ret_int32(sp, &tmp);
     if(ret) return ret;
+    ret = size_too_large_num(sp, tmp, sizeof(auth->val[0]));
+    if (ret) return ret;
     ALLOC_SEQ(auth, tmp);
     if (auth->val == NULL && tmp != 0)
 	return ENOMEM;

lib/krb5/store_emem.c

@@ -45,7 +45,7 @@ static ssize_t
 emem_fetch(krb5_storage *sp, void *data, size_t size)
 {
     emem_storage *s = (emem_storage*)sp->data;
-    if(s->base + s->len - s->ptr < size)
+    if((size_t)(s->base + s->len - s->ptr) < size)
 	size = s->base + s->len - s->ptr;
     memmove(data, s->ptr, size);
     sp->seek(sp, size, SEEK_CUR);
@@ -56,7 +56,7 @@ static ssize_t
 emem_store(krb5_storage *sp, const void *data, size_t size)
 {
     emem_storage *s = (emem_storage*)sp->data;
-    if(size > s->base + s->size - s->ptr){
+    if(size > (size_t)(s->base + s->size - s->ptr)){
 	void *base;
 	size_t sz, off;
 	off = s->ptr - s->base;
@@ -81,12 +81,12 @@ emem_seek(krb5_storage *sp, off_t offset, int whence)
     emem_storage *s = (emem_storage*)sp->data;
     switch(whence){
     case SEEK_SET:
-	if(offset > s->size)
+	if((size_t)offset > s->size)
 	    offset = s->size;
 	if(offset < 0)
 	    offset = 0;
 	s->ptr = s->base + offset;
-	if(offset > s->len)
+	if((size_t)offset > s->len)
 	    s->len = offset;
 	break;
     case SEEK_CUR:
@@ -115,14 +115,14 @@ emem_trunc(krb5_storage *sp, off_t offset)
 	s->size = 0;
 	s->base = NULL;
 	s->ptr = NULL;
-    } else if (offset > s->size || (s->size / 2) > offset) {
+    } else if ((size_t)offset > s->size || (s->size / 2) > (size_t)offset) {
 	void *base;
 	size_t off;
 	off = s->ptr - s->base;
 	base = realloc(s->base, offset);
 	if(base == NULL)
 	    return ENOMEM;
-	if (offset > s->size)
+	if ((size_t)offset > s->size)
 	    memset((char *)base + s->size, 0, offset - s->size);
 	s->size = offset;
 	s->base = base;
@@ -190,5 +190,6 @@ krb5_storage_emem(void)
     sp->seek = emem_seek;
     sp->trunc = emem_trunc;
     sp->free = emem_free;
+    sp->max_alloc = UINT_MAX/8;
     return sp;
 }

lib/krb5/store_fd.c

@@ -128,5 +128,6 @@ krb5_storage_from_fd(krb5_socket_t fd_in)
     sp->seek = fd_seek;
     sp->trunc = fd_trunc;
     sp->free = fd_free;
+    sp->max_alloc = UINT_MAX/8;
     return sp;
 }

lib/krb5/store_mem.c

@@ -44,7 +44,7 @@ static ssize_t
 mem_fetch(krb5_storage *sp, void *data, size_t size)
 {
     mem_storage *s = (mem_storage*)sp->data;
-    if(size > s->base + s->size - s->ptr)
+    if(size > (size_t)(s->base + s->size - s->ptr))
 	size = s->base + s->size - s->ptr;
     memmove(data, s->ptr, size);
     sp->seek(sp, size, SEEK_CUR);
@@ -55,7 +55,7 @@ static ssize_t
 mem_store(krb5_storage *sp, const void *data, size_t size)
 {
     mem_storage *s = (mem_storage*)sp->data;
-    if(size > s->base + s->size - s->ptr)
+    if(size > (size_t)(s->base + s->size - s->ptr))
 	size = s->base + s->size - s->ptr;
     memmove(s->ptr, data, size);
     sp->seek(sp, size, SEEK_CUR);
@@ -74,7 +74,7 @@ mem_seek(krb5_storage *sp, off_t offset, int whence)
     mem_storage *s = (mem_storage*)sp->data;
     switch(whence){
     case SEEK_SET:
-	if(offset > s->size)
+	if((size_t)offset > s->size)
 	    offset = s->size;
 	if(offset < 0)
 	    offset = 0;
@@ -95,7 +95,7 @@ static int
 mem_trunc(krb5_storage *sp, off_t offset)
 {
     mem_storage *s = (mem_storage*)sp->data;
-    if(offset > s->size)
+    if((size_t)offset > s->size)
 	return ERANGE;
     s->size = offset;
     if ((s->ptr - s->base) > offset)
@@ -145,6 +145,7 @@ krb5_storage_from_mem(void *buf, size_t len)
     sp->seek = mem_seek;
     sp->trunc = mem_trunc;
     sp->free = NULL;
+    sp->max_alloc = UINT_MAX/8;
     return sp;
 }
 
@@ -203,5 +204,6 @@ krb5_storage_from_readonly_mem(const void *buf, size_t len)
     sp->seek = mem_seek;
     sp->trunc = mem_no_trunc;
     sp->free = NULL;
+    sp->max_alloc = UINT_MAX/8;
     return sp;
 }

lib/krb5/test_pknistkdf.c

@@ -53,10 +53,6 @@ struct testcase {
     /* 0 */
     {
         NULL,                            /* AlgorithmIdentifier */
-	/* == &asn1_oid_id_pkinit_kdf_ah_sha1.  Addresses of exported
-         * symbols are not considered constant on all platforms
-         * (Windows).  So we set it in main() below. */
-
 	{ /* Z */
 	    256,
 	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
@@ -99,6 +95,98 @@ struct testcase {
 	    "\xc7\x62\x89\xec\x4b\x28\xa6\x91\xff\xce\x80\xbb\xb7\xec\x82\x41"
 	    "\x52\x3f\x99\xb1\x90\xcf\x2d\x34\x8f\x54\xa8\x65\x81\x2c\x32\x73"
 	}
+    },
+    /* 1 */
+    {
+        NULL,                            /* AlgorithmIdentifier */
+	{ /* Z */
+	    256,
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	},
+	"lha@SU.SE", /* client, partyUInfo */
+	"krbtgt/SU.SE@SU.SE", /* server, partyVInfo */
+	ETYPE_AES256_CTS_HMAC_SHA1_96, /* enctype */
+	{ /* as_req */
+	    10,
+	    "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
+	},
+	{ /* pk_as_rep */
+	    9,
+	    "\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB"
+	},
+	{ /* ticket */
+	    55,
+	    "\x61\x35\x30\x33\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05\x53\x55\x2e"
+	    "\x53\x45\xa2\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b"
+	    "\x03\x6c\x68\x61\xa3\x11\x30\x0f\xa0\x03\x02\x01\x12\xa2\x08\x04"
+	    "\x06\x68\x65\x6a\x68\x65\x6a"
+	},
+	{ /* key */
+	    32,
+	    "\x59\xf3\xca\x77\x5b\x20\x17\xe9\xad\x36\x3f\x47\xca\xbd\x43\xb8"
+	    "\x8c\xb8\x90\x35\x8d\xc6\x0d\x52\x0d\x11\x9f\xb0\xdc\x24\x0b\x61"
+	}
+    },
+    /* 2 */
+    {
+        NULL,                            /* AlgorithmIdentifier */
+	{ /* Z */
+	    256,
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	},
+	"lha@SU.SE", /* client, partyUInfo */
+	"krbtgt/SU.SE@SU.SE", /* server, partyVInfo */
+	ETYPE_AES256_CTS_HMAC_SHA1_96, /* enctype */
+	{ /* as_req */
+	    10,
+	    "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
+	},
+	{ /* pk_as_rep */
+	    9,
+	    "\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB"
+	},
+	{ /* ticket */
+	    55,
+	    "\x61\x35\x30\x33\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05\x53\x55\x2e"
+	    "\x53\x45\xa2\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b"
+	    "\x03\x6c\x68\x61\xa3\x11\x30\x0f\xa0\x03\x02\x01\x12\xa2\x08\x04"
+	    "\x06\x68\x65\x6a\x68\x65\x6a"
+	},
+	{ /* key */
+	    32,
+	    "\x8a\x9a\xc5\x5f\x45\xda\x1a\x73\xd9\x1e\xe9\x88\x1f\xa9\x48\x81"
+	    "\xce\xac\x66\x2d\xb1\xd3\xb9\x0a\x9d\x0e\x52\x83\xdf\xe1\x84\x3d"
+	}
     }
 };
 
@@ -265,6 +353,8 @@ main(int argc, char **argv)
 	errx (1, "krb5_init_context failed: %d", ret);
 
     tests[0].oid = &asn1_oid_id_pkinit_kdf_ah_sha1;
+    tests[1].oid = &asn1_oid_id_pkinit_kdf_ah_sha256;
+    tests[2].oid = &asn1_oid_id_pkinit_kdf_ah_sha512;
 
     for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++)
 	test_dh2key(context, i, &tests[i]);

lib/krb5/test_store.c

@@ -193,8 +193,6 @@ test_storage(krb5_context context, krb5_storage *sp)
     test_uint8(context, sp);
     test_uint16(context, sp);
     test_uint32(context, sp);
-
-    krb5_storage_free(sp);
 }
 
 
@@ -217,10 +215,25 @@ test_truncate(krb5_context context, krb5_storage *sp, int fd)
 	krb5_err(context, 1, errno, "fstat");
     if (sb.st_size != 1024)
 	krb5_errx(context, 1, "length not 2");
-
-    krb5_storage_free(sp);
 }
 
+static void
+check_too_large(krb5_context context, krb5_storage *sp)
+{
+    uint32_t too_big_sizes[] = { INT_MAX, INT_MAX / 2, INT_MAX / 4, INT_MAX / 8 + 1};
+    krb5_error_code ret;
+    krb5_data data;
+    size_t n;
+
+    for (n = 0; n < sizeof(too_big_sizes) / sizeof(too_big_sizes); n++) {
+	krb5_storage_truncate(sp, 0);
+	krb5_store_uint32(sp, too_big_sizes[n]);
+	krb5_storage_seek(sp, 0, SEEK_SET);
+	ret = krb5_ret_data(sp, &data);
+	if (ret != HEIM_ERR_TOO_BIG)
+	    errx(1, "not too big: %lu", (unsigned long)n);
+    }
+}
 
 /*
  *
@@ -284,10 +297,13 @@ main(int argc, char **argv)
 	krb5_errx(context, 1, "krb5_storage_emem: no mem");
 
     test_storage(context, sp);
+    check_too_large(context, sp);
+    krb5_storage_free(sp);
+
 
     fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600);
     if (fd < 0)
-	krb5_err(context, 1, errno, "open(%s", fn);
+	krb5_err(context, 1, errno, "open(%s)", fn);
 
     sp = krb5_storage_from_fd(fd);
     close(fd);
@@ -295,6 +311,7 @@ main(int argc, char **argv)
 	krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn);
 
     test_storage(context, sp);
+    krb5_storage_free(sp);
     unlink(fn);
 
     /*
@@ -303,13 +320,14 @@ main(int argc, char **argv)
 
     fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600);
     if (fd < 0)
-	krb5_err(context, 1, errno, "open(%s", fn);
+	krb5_err(context, 1, errno, "open(%s)", fn);
 
     sp = krb5_storage_from_fd(fd);
     if (sp == NULL)
 	krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn);
 
     test_truncate(context, sp, fd);
+    krb5_storage_free(sp);
     close(fd);
     unlink(fn);
 

lib/krb5/test_x500.c

@@ -0,0 +1,110 @@
+/*
+ * Copyright (c) 2011 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+/*
+ *
+ */
+
+static void
+check_linear(krb5_context context,
+	     const char *client_realm,
+	     const char *server_realm,
+	     const char *realm,
+	     ...)
+{
+    unsigned int num_inrealms = 0, num_realms = 0, n;
+    char **inrealms = NULL;
+    char **realms = NULL;
+    krb5_error_code ret;
+    krb5_data tr;
+    va_list va;
+
+    krb5_data_zero(&tr);
+
+    va_start(va, realm);
+    
+    while (realm) {
+	inrealms = erealloc(inrealms, (num_inrealms + 2) * sizeof(inrealms[0]));
+	inrealms[num_inrealms] = rk_UNCONST(realm);
+	num_inrealms++;
+	realm = va_arg(va, const char *);
+    }
+    if (inrealms)
+	inrealms[num_inrealms] = NULL;
+
+    ret = krb5_domain_x500_encode(inrealms, num_inrealms, &tr);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_domain_x500_encode");
+
+    ret = krb5_domain_x500_decode(context, tr,
+				  &realms, &num_realms,
+				  client_realm, server_realm);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_domain_x500_decode");
+
+    krb5_data_free(&tr);
+
+    if (num_inrealms != num_realms)
+	errx(1, "num_inrealms != num_realms");
+
+    for(n = 0; n < num_realms; n++)
+	free(realms[n]);
+    free(realms);
+
+    free(inrealms);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_context");
+
+
+    check_linear(context, "KTH1.SE", "KTH1.SE", NULL);
+    check_linear(context, "KTH1.SE", "KTH2.SE", NULL);
+    check_linear(context, "KTH1.SE", "KTH3.SE", "KTH2.SE", NULL);
+    check_linear(context, "KTH1.SE", "KTH4.SE", "KTH3.SE", "KTH2.SE", NULL);
+    check_linear(context, "KTH1.SE", "KTH5.SE", "KTH4.SE", "KTH3.SE", "KTH2.SE", NULL);
+
+    return 0;
+}

lib/krb5/ticket.c

@@ -195,7 +195,7 @@ find_type_in_ad(krb5_context context,
 		int level)
 {
     krb5_error_code ret = 0;
-    int i;
+    size_t i;
 
     if (level > 9) {
 	ret = ENOENT; /* XXX */
@@ -748,7 +748,7 @@ _krb5_extract_ticket(krb5_context context,
 
     /* compare nonces */
 
-    if (nonce != rep->enc_part.nonce) {
+    if (nonce != (unsigned)rep->enc_part.nonce) {
 	ret = KRB5KRB_AP_ERR_MODIFIED;
 	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
 	goto out;

lib/krb5/transited.c

@@ -370,7 +370,7 @@ krb5_domain_x500_decode(krb5_context context,
 	    (*num_realms)++;
 	}
     }
-    if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms))
+    if (*num_realms + 1 > UINT_MAX/sizeof(**realms))
 	return ERANGE;
 
     {
@@ -410,7 +410,7 @@ krb5_domain_x500_encode(char **realms, unsigned int num_realms,
 	return ENOMEM;
     *s = '\0';
     for(i = 0; i < num_realms; i++){
-	if(i && i < num_realms - 1)
+	if(i)
 	    strlcat(s, ",", len + 1);
 	if(realms[i][0] == '/')
 	    strlcat(s, " ", len + 1);
@@ -431,7 +431,7 @@ krb5_check_transited(krb5_context context,
 {
     char **tr_realms;
     char **p;
-    int i;
+    size_t i;
 
     if(num_realms == 0)
 	return 0;
@@ -467,7 +467,7 @@ krb5_check_transited_realms(krb5_context context,
 			    unsigned int num_realms,
 			    int *bad_realm)
 {
-    int i;
+    size_t i;
     int ret = 0;
     char **bad_realms = krb5_config_get_strings(context, NULL,
 						"libdefaults",

lib/krb5/version-script.map

@@ -606,6 +606,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_storage_set_byteorder;
 		krb5_storage_set_eof_code;
 		krb5_storage_set_flags;
+		krb5_storage_set_max_alloc;
 		krb5_storage_to_data;
 		krb5_storage_truncate;
 		krb5_storage_write;