From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 26 Jan 2026 16:46:26 +0000 (+0000)
Subject: krb5: Update to 1.22.1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b1aed32fa23e94f34c514d9e78a56386ae82d86;p=ipfire-2.x.git

krb5: Update to 1.22.1

This also fixes a build against glibc >= 2.43.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/lfs/krb5 b/lfs/krb5
index 7ca5acd56..cdf2d80d6 100644
--- a/lfs/krb5
+++ b/lfs/krb5
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = Kerberos
 
-VER        = 1.21.3
+VER        = 1.22.1
 
 THISAPP    = krb5-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -34,9 +34,6 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)/src
 TARGET     = $(DIR_INFO)/$(THISAPP)
 
-# Fix build with GCC 15
-CFLAGS += -std=gnu17
-
 ###############################################################################
 # Top-level Rules
 ###############################################################################
@@ -45,7 +42,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = e909a55eaedab68e5c829bb7bbd26cec5db2d7b8d97f3b034de94d8f957003f16977ac619afee3b862f288e59f05c5e44f41e65b8883961c8b22a26e2f4733bc
+$(DL_FILE)_BLAKE2 = aed6a7f511ae7085a81fa6dc553881ea478bb8bb8aa43ab13e1312ead392fb93173998bfdfc730dca4d715b2ed52da6a12f2417f95525d9ff5c4629e8ca5fedc
 
 install : $(TARGET)
 
@@ -79,6 +76,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_SRC)/$(THISAPP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np2 -i $(DIR_SRC)/src/patches/krb5-1.18.3_remove_known_failed_test.patch
+	cd $(DIR_APP) && patch -Np2 < $(DIR_SRC)/src/patches/krb5-1.12.3-FTBFS.patch
 	cd $(DIR_APP) && ./configure \
 		--prefix=/usr \
 		--sysconfdir=/etc \
diff --git a/src/patches/krb5-1.12.3-FTBFS.patch b/src/patches/krb5-1.12.3-FTBFS.patch
new file mode 100644
index 000000000..938df0556
--- /dev/null
+++ b/src/patches/krb5-1.12.3-FTBFS.patch
@@ -0,0 +1,188 @@
+From ad4dcf1856dadc4b352b5c8ff08e51c7290fb41f Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 10 Dec 2025 10:42:02 +0200
+Subject: [PATCH] Fix strchr() conformance to C23
+
+C23 7.28.5.1 specifies search functions such as strchr() as generic,
+returning const char * if the first argument is of type const char *.
+Fix uses of strchr() to conform to this change.
+
+[jrische@redhat.com: altered changes to avoid casts; fixed an
+additional case]
+[ghudson@mit.edu: condensed some declarations; rewrote commit message]
+
+ticket: 9191 (new)
+---
+ src/lib/krb5/ccache/ccbase.c                      |  4 ++--
+ src/lib/krb5/os/expand_path.c                     |  3 ++-
+ src/lib/krb5/os/locate_kdc.c                      | 15 +++++++--------
+ src/plugins/preauth/pkinit/pkinit_crypto.h        |  2 +-
+ .../preauth/pkinit/pkinit_crypto_openssl.c        |  6 +++---
+ src/plugins/preauth/pkinit/pkinit_identity.c      |  2 +-
+ src/plugins/preauth/pkinit/pkinit_matching.c      |  2 +-
+ src/tests/responder.c                             |  3 +--
+ 8 files changed, 18 insertions(+), 19 deletions(-)
+
+diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c
+index 696b681812..30a0a410c5 100644
+--- a/src/lib/krb5/ccache/ccbase.c
++++ b/src/lib/krb5/ccache/ccbase.c
+@@ -201,8 +201,8 @@ krb5_cc_register(krb5_context context, const krb5_cc_ops *ops,
+ krb5_error_code KRB5_CALLCONV
+ krb5_cc_resolve (krb5_context context, const char *name, krb5_ccache *cache)
+ {
+-    char *pfx, *cp;
+-    const char *resid;
++    char *pfx;
++    const char *cp, *resid;
+     unsigned int pfxlen;
+     krb5_error_code err;
+     const krb5_cc_ops *ops;
+diff --git a/src/lib/krb5/os/expand_path.c b/src/lib/krb5/os/expand_path.c
+index 5cbccf08c8..6569b8820b 100644
+--- a/src/lib/krb5/os/expand_path.c
++++ b/src/lib/krb5/os/expand_path.c
+@@ -454,7 +454,8 @@ k5_expand_path_tokens_extra(krb5_context context, const char *path_in,
+ {
+     krb5_error_code ret;
+     struct k5buf buf;
+-    char *tok_begin, *tok_end, *tok_val, **extra_tokens = NULL, *path;
++    const char *tok_begin, *tok_end;
++    char *tok_val, **extra_tokens = NULL, *path;
+     const char *path_left;
+     size_t nargs = 0, i;
+     va_list ap;
+diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
+index c186bce51c..0cceff8000 100644
+--- a/src/lib/krb5/os/locate_kdc.c
++++ b/src/lib/krb5/os/locate_kdc.c
+@@ -214,8 +214,8 @@ oom:
+ }
+ 
+ static void
+-parse_uri_if_https(const char *host_or_uri, k5_transport *transport,
+-                   const char **host, const char **uri_path)
++parse_uri_if_https(char *host_or_uri, k5_transport *transport,
++                   char **host, const char **uri_path)
+ {
+     char *cp;
+ 
+@@ -257,8 +257,7 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
+                   k5_transport transport, int udpport)
+ {
+     const char *realm_srv_names[4];
+-    char **hostlist = NULL, *realmstr = NULL, *host = NULL;
+-    const char *hostspec;
++    char **hostlist = NULL, *realmstr = NULL, *host = NULL, *hostspec;
+     krb5_error_code code;
+     size_t i;
+     int default_port;
+@@ -587,8 +586,8 @@ prof_locate_server(krb5_context context, const krb5_data *realm,
+  * Return a NULL *host_out if there are any problems parsing the URI.
+  */
+ static void
+-parse_uri_fields(const char *uri, k5_transport *transport_out,
+-                 const char **host_out, int *primary_out)
++parse_uri_fields(char *uri, k5_transport *transport_out,
++                 char **host_out, int *primary_out)
+ 
+ {
+     k5_transport transport;
+@@ -656,8 +655,8 @@ locate_uri(krb5_context context, const krb5_data *realm,
+     krb5_error_code ret;
+     k5_transport transport, host_trans;
+     struct srv_dns_entry *answers, *entry;
+-    char *host, *sitename;
+-    const char *host_field, *path;
++    char *host, *sitename, *host_field;
++    const char *path;
+     int port, def_port, primary;
+ 
+     ret = get_sitename(context, realm, &sitename);
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
+index 57bb3cb840..be2d02c227 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
+@@ -440,7 +440,7 @@ krb5_error_code crypto_load_cas_and_crls
+ 		    defines the storage type (file, directory, etc) */
+ 	int catype,					/* IN
+ 		    defines the ca type (anchor, intermediate, crls) */
+-	char *id);					/* IN
++	const char *id);				/* IN
+ 		    defines the location (filename, directory name, etc) */
+ 
+ /*
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index bd25bae478..d1fe18e5ab 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -4999,7 +4999,7 @@ load_cas_and_crls(krb5_context context,
+                   pkinit_req_crypto_context req_cryptoctx,
+                   pkinit_identity_crypto_context id_cryptoctx,
+                   int catype,
+-                  char *filename)
++                  const char *filename)
+ {
+     STACK_OF(X509_INFO) *sk = NULL;
+     STACK_OF(X509) *ca_certs = NULL;
+@@ -5157,7 +5157,7 @@ load_cas_and_crls_dir(krb5_context context,
+                       pkinit_req_crypto_context req_cryptoctx,
+                       pkinit_identity_crypto_context id_cryptoctx,
+                       int catype,
+-                      char *dirname)
++                      const char *dirname)
+ {
+     krb5_error_code retval = EINVAL;
+     char **fnames = NULL, *filename;
+@@ -5201,7 +5201,7 @@ crypto_load_cas_and_crls(krb5_context context,
+                          pkinit_identity_crypto_context id_cryptoctx,
+                          int idtype,
+                          int catype,
+-                         char *id)
++                         const char *id)
+ {
+     switch (idtype) {
+     case IDTYPE_FILE:
+diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
+index 0dcfcfc46a..ad65f237b0 100644
+--- a/src/plugins/preauth/pkinit/pkinit_identity.c
++++ b/src/plugins/preauth/pkinit/pkinit_identity.c
+@@ -473,7 +473,7 @@ process_option_ca_crl(krb5_context context,
+                       const char *value,
+                       int catype)
+ {
+-    char *residual;
++    const char *residual;
+     unsigned int typelen;
+     int idtype;
+ 
+diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
+index 0ea072c887..b3c8df1610 100644
+--- a/src/plugins/preauth/pkinit/pkinit_matching.c
++++ b/src/plugins/preauth/pkinit/pkinit_matching.c
+@@ -262,7 +262,7 @@ parse_rule_component(krb5_context context,
+     char err_buf[128];
+     int ret;
+     struct keyword_desc *kw, *nextkw;
+-    char *nk;
++    const char *nk;
+     int found_next_kw = 0;
+     char *value = NULL;
+     size_t len;
+diff --git a/src/tests/responder.c b/src/tests/responder.c
+index 82f870ea5d..4221a20283 100644
+--- a/src/tests/responder.c
++++ b/src/tests/responder.c
+@@ -282,8 +282,7 @@ responder(krb5_context ctx, void *rawdata, krb5_responder_context rctx)
+     /* Provide a particular response for an OTP challenge. */
+     if (data->otp_answer != NULL) {
+         if (krb5_responder_otp_get_challenge(ctx, rctx, &ochl) == 0) {
+-            key = strchr(data->otp_answer, '=');
+-            if (key != NULL) {
++            if (strchr(data->otp_answer, '=') != NULL) {
+                 /* Make a copy of the answer that we can chop up. */
+                 key = strdup(data->otp_answer);
+                 if (key == NULL)
+-- 
+2.47.3
+