main/heimdal: filter invalid enctypes instead of rejecting

(cherry picked from commit 265b5747b9dd90b6a6f06b2b8f60618083ebd61b)

2 files changed, 53 insertions, 2 deletions

diff --git a/main/heimdal/APKBUILD b/main/heimdal/APKBUILD
index 139539e195..e98d9cf016 100644
--- a/main/heimdal/APKBUILD
+++ b/main/heimdal/APKBUILD
@@ -2,7 +2,7 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=heimdal
 pkgver=1.3.1
-pkgrel=3
+pkgrel=4
 pkgdesc="An implementation of Kerberos 5"
 url="http://www.h5l.org/"
 license="BSD"
@@ -22,6 +22,7 @@ source="http://www.h5l.org/dist/src/$pkgname-$pkgver.tar.gz
 100-check-com_err-pthread.patch
 heimdal-c++-safe-krb5_cccol_cursor.patch
 heimdal-locate_plugin-header.patch
+return-invalid-enctype-for-weak-crypto.patch
 "
 
 # krb5.h needs com_err.h
@@ -41,6 +42,7 @@ prepare() {
         patch -Np1 -i ../100-check-com_err-pthread.patch || return 1
         patch -Np1 -i ../heimdal-c++-safe-krb5_cccol_cursor.patch || return 1
         patch -Np1 -i ../heimdal-locate_plugin-header.patch || return 1
+        patch -Np1 -i ../return-invalid-enctype-for-weak-crypto.patch || return 1
 
         # name clash with ruserpass in netdb.h
         sed -i -e 's/ruserpass/ruserpw/g' appl/ftp/ftp/*.[ch] || return 1
@@ -176,4 +178,5 @@ md5sums="4ce17deae040a3519e542f48fd901f21  heimdal-1.3.1.tar.gz
 8208ae8c0b6ff5ab4f64af1693e9e396  014_all_heimdal-path.patch
 e73205200f9641b5d969427ffb04282a  100-check-com_err-pthread.patch
 7ebff9a320f18ed62f5fcb68c8fc18b8  heimdal-c++-safe-krb5_cccol_cursor.patch
-248ab80b44568171e432a23524f4fe39  heimdal-locate_plugin-header.patch"
+248ab80b44568171e432a23524f4fe39  heimdal-locate_plugin-header.patch
+a8342f77a1aedb4f332983bcbf141827  return-invalid-enctype-for-weak-crypto.patch"
diff --git a/main/heimdal/return-invalid-enctype-for-weak-crypto.patch b/main/heimdal/return-invalid-enctype-for-weak-crypto.patch
new file mode 100644
index 0000000000..c8ce39fefe
--- /dev/null
+++ b/main/heimdal/return-invalid-enctype-for-weak-crypto.patch
@@ -0,0 +1,48 @@
+--- a/lib/krb5/context.c
++++ b/lib/krb5/context.c
+@@ -825,23 +825,33 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+ krb5_set_default_in_tkt_etypes(krb5_context context,
+                               const krb5_enctype *etypes)
+ {
++    krb5_error_code ret;
+     krb5_enctype *p = NULL;
+-    int i;
++    unsigned int n, m;
+
+     if(etypes) {
+-       for (i = 0; etypes[i]; ++i) {
+-           krb5_error_code ret;
+-           ret = krb5_enctype_valid(context, etypes[i]);
+-           if (ret)
+-               return ret;
+-       }
+-       ++i;
+-       ALLOC(p, i);
++       for (n = 0; etypes[n]; n++)
++           ;
++       n++;
++       ALLOC(p, n);
+        if(!p) {
+-           krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
++           krb5_set_error_message (context, ENOMEM,
++                                   N_("malloc: out of memory", ""));
+            return ENOMEM;
+        }
+-       memmove(p, etypes, i * sizeof(krb5_enctype));
++       for (n = 0, m = 0; etypes[n]; n++) {
++           ret = krb5_enctype_valid(context, etypes[n]);
++           if (ret)
++               continue;
++           p[m++] = etypes[n];
++       }
++       p[m] = ETYPE_NULL;
++       if (m == 0) {
++           free(p);
++           krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
++                                   N_("no valid enctype set", ""));
++           return KRB5_PROG_ETYPE_NOSUPP;
++       }
+     }
+     if(context->etypes)
+        free(context->etypes);
+