Bug 2172836

Summary: perl-Authen-Krb5: uses internal krb5 functions, so build in C89 mode
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: perl-Authen-Krb5Assignee: Florian Weimer <fweimer>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: perl-devel, simon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: perl-Authen-Krb5-1.9-39.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-28 15:13:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2137516    

Description Florian Weimer 2023-02-23 09:21:51 UTC 
Just like appl/simple/client/sim_client.c in krb5 itself, perl-Authen-Krb5 uses internal APIs (krb5_gen_portaddr, krb5_gen_replay_name, krb5_free_enc_tkt_part) in its example code. These functions also have been added to the XS module.

As these functions are internal, it's not really possible to call them outside krb5. There's no function prototype in the installed header files.

I asked for advice on the kerberos list:

appl/simple/client/sim_client.c uses internal APIs
<https://mailman.mit.edu/pipermail/kerberos/2023-February/022905.html>
Comment 1 Florian Weimer 2023-02-28 11:50:45 UTC 
This now has been resolved on the krb5 side. The internal function calls are not really required given the example has been written.

Unfortunately calls to krb5_free_enc_tkt_part and krb5_free_address remain. I think both calls appear in contexts that are bit dubious, and crashes are only avoided due to memory leaks.

When an Authen::Krb5::EncTktPart object is returned from Authen::Krb5::Ticket::enc_part2, it would actually be required that this object retains a reference to the original Authen::Krb5::Ticket object. Instead it creates a new object with its own reference counter, and then papers over some adverse effect with that krb5_free_enc_tkt_part call in Authen::Krb5::EncTktPart::DESTROY.

The DESTROY method for Authen::Krb5::Address calls krb5_free_address. This calls C free on the contents member, but that contents member is set to a SvPV-allocated pointer in Authen::Krb5::Address::new.

I guess we have to build this in C89 mode to make these undeclared function calls valid for now. I'll report these issues upstream as well.
Comment 2 Florian Weimer 2023-02-28 12:14:15 UTC 
Uh-oh. Upstream basically closed down in January.

<https://metacpan.org/dist/Authen-Krb5> links to <https://github.com/sophos/p5-Krb5/commits/master>, which is archived. It probably does not make sense to report this to <https://rt.cpan.org/Public/Dist/Display.html?Name=Authen-Krb5>, given that this leads reporters to the archived Github repository, too.