From ghudson at mit.edu  Thu Feb 12 21:05:42 2026
From: ghudson at mit.edu (ghudson at mit.edu)
Date: Thu, 12 Feb 2026 21:05:42 -0500 (EST)
Subject: krb5 commit: Fix several portability issues affecting Solaris
Message-ID: <20260213020542.4578B1042A5@krbdev.mit.edu>

https://github.com/krb5/krb5/commit/4c8ec1637252a6b22e2665e6003a88e709f8db6c
commit 4c8ec1637252a6b22e2665e6003a88e709f8db6c
Author: Martin ??eh??k <rehak at tekkirk.org>
Date:   Wed Feb 11 02:17:39 2026 -0500

    Fix several portability issues affecting Solaris
    
    Commit 1bfcf572241a4ec0e44e609e5c6b7c0b11b08eea added a trailing
    semicolon to the Solaris INIT_FINI_PREP, causing a syntax error when
    MAKE_SHLIB_COMMAND uses it as "$(INIT_FINI_PREP} && ${LDCOMBINE} ...".
    Remove it.
    
    Commit a575589ef525fb139cafa0de1a05382845f0afbd introduced UNIX domain
    socket variables named "sun", which is defined to 1 on Solaris.  Use
    "unaddr" or avoid declaring a variable.
    
    Commit 1c87ce6c44a9de0824580a2d72a8a202237e01f4 changed
    pkinit_constants.c to use char arrays for OID constants, for brevity
    when including them in krb5_data initializers.  But many of the array
    elements are not within the range of a signed char, causing errors
    with the Solaris C compiler.  Change these constants to uint8_t arrays
    and introduce a macro to shorten the krb5_data initializers.
    
    [ghudson at mit.edu: edited for style; wrote commit message]
    
    ticket: 9195

 src/config/shlib.conf                         |  2 +-
 src/lib/apputils/net-server.c                 | 10 ++--
 src/lib/krb5/os/addr.c                        |  5 +-
 src/lib/krb5/os/locate_kdc.c                  | 13 ++---
 src/plugins/preauth/pkinit/pkinit_constants.c | 72 +++++++++++++--------------
 5 files changed, 49 insertions(+), 53 deletions(-)

diff --git a/src/config/shlib.conf b/src/config/shlib.conf
index d14ededab..066b10534 100644
--- a/src/config/shlib.conf
+++ b/src/config/shlib.conf
@@ -239,7 +239,7 @@ mips-*-netbsd*)
 		    # Did Solaris 7 and earlier have a linker option for this?
 		    ;;
 		*)
-		    INIT_FINI_PREP='initfini=; for f in . $(LIBINITFUNC); do if test $$f = .; then :; else initfini="$$initfini -Wl,-z,initarray=$${f}__auxinit"; fi; done;'
+		    INIT_FINI_PREP='initfini=; for f in . $(LIBINITFUNC); do if test $$f = .; then :; else initfini="$$initfini -Wl,-z,initarray=$${f}__auxinit"; fi; done'
 		    use_linker_init_option=yes
 		    ;;
 		esac
diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
index 9b04cfd01..e48fc7eed 100644
--- a/src/lib/apputils/net-server.c
+++ b/src/lib/apputils/net-server.c
@@ -938,7 +938,7 @@ setup_addresses(verto_ctx *ctx, void *handle, const char *prog,
     size_t i;
     int err, bound_any;
     struct bind_address addr;
-    struct sockaddr_un sun;
+    struct sockaddr_un unaddr;
     struct addrinfo hints, *ai_list = NULL, *ai = NULL;
     struct sockact_list sockacts = { 0 };
     verto_callback vcb;
@@ -967,16 +967,16 @@ setup_addresses(verto_ctx *ctx, void *handle, const char *prog,
         hints.ai_socktype = bind_socktypes[addr.type];
 
         if (addr.type == UNX) {
-            sun.sun_family = AF_UNIX;
-            if (strlcpy(sun.sun_path, addr.address, sizeof(sun.sun_path)) >=
-                sizeof(sun.sun_path)) {
+            unaddr.sun_family = AF_UNIX;
+            if (strlcpy(unaddr.sun_path, addr.address,
+                        sizeof(unaddr.sun_path)) >= sizeof(unaddr.sun_path)) {
                 ret = ENAMETOOLONG;
                 krb5_klog_syslog(LOG_ERR,
                                  _("UNIX domain socket path too long: %s"),
                                  addr.address);
                 goto cleanup;
             }
-            ret = setup_socket(&addr, (struct sockaddr *)&sun, &sockacts,
+            ret = setup_socket(&addr, (struct sockaddr *)&unaddr, &sockacts,
                                handle, prog, ctx, listen_backlog,
                                verto_callbacks[addr.type],
                                bind_conn_types[addr.type]);
diff --git a/src/lib/krb5/os/addr.c b/src/lib/krb5/os/addr.c
index e351ef800..c303c1414 100644
--- a/src/lib/krb5/os/addr.c
+++ b/src/lib/krb5/os/addr.c
@@ -62,10 +62,9 @@ k5_sockaddr_to_address(const struct sockaddr *sa, krb5_boolean local_use,
         }
 #ifndef _WIN32
     } else if (sa->sa_family == AF_UNIX && local_use) {
-        const struct sockaddr_un *sun = sa2sun(sa);
         out->addrtype = ADDRTYPE_UNIXSOCK;
-        out->length = strlen(sun->sun_path);
-        out->contents = (uint8_t *)sun->sun_path;
+        out->length = strlen(sa2sun(sa)->sun_path);
+        out->contents = (uint8_t *)sa2sun(sa)->sun_path;
 #endif
     } else {
         return KRB5_PROG_ATYPE_NOSUPP;
diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index 0cceff800..f0743c7cf 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -296,16 +296,17 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
 
 #ifndef _WIN32
         if (hostspec[0] == '/') {
-            struct sockaddr_un sun = { 0 };
+            struct sockaddr_un unaddr = { 0 };
 
-            sun.sun_family = AF_UNIX;
-            if (strlcpy(sun.sun_path, hostspec, sizeof(sun.sun_path)) >=
-                sizeof(sun.sun_path)) {
+            unaddr.sun_family = AF_UNIX;
+            if (strlcpy(unaddr.sun_path, hostspec, sizeof(unaddr.sun_path)) >=
+                sizeof(unaddr.sun_path)) {
                 code = ENAMETOOLONG;
                 goto cleanup;
             }
-            code = add_addr_to_list(serverlist, UNIXSOCK, AF_UNIX, sizeof(sun),
-                                    (struct sockaddr *)&sun);
+            code = add_addr_to_list(serverlist, UNIXSOCK, AF_UNIX,
+                                    sizeof(unaddr),
+                                    (struct sockaddr *)&unaddr);
             if (code)
                 goto cleanup;
             continue;
diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c
index a32b373c3..19ef23cff 100644
--- a/src/plugins/preauth/pkinit/pkinit_constants.c
+++ b/src/plugins/preauth/pkinit/pkinit_constants.c
@@ -32,19 +32,27 @@
 
 #include "pkinit.h"
 
+#define DATA_FROM_ARRAY(a) { KV5M_DATA, sizeof(a), (char *)a }
+
 /* RFC 8636 id-pkinit-kdf-ah-sha1: iso(1) identified-organization(3) dod(6)
  * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha1(1) */
-static char kdf_sha1[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01 };
+static uint8_t kdf_sha1[8] = {
+    0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01
+};
 /* RFC 8636 id-pkinit-kdf-ah-sha256: iso(1) identified-organization(3) dod(6)
  * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha256(2) */
-static char kdf_sha256[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x02 };
+static uint8_t kdf_sha256[8] = {
+    0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x02
+};
 /* RFC 8636 id-pkinit-kdf-ah-sha512: iso(1) identified-organization(3) dod(6)
  * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha512(3) */
-static char kdf_sha512[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x03 };
+static uint8_t kdf_sha512[8] = {
+    0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x03
+};
 
-const krb5_data kdf_sha1_id = { KV5M_DATA, sizeof(kdf_sha1), kdf_sha1 };
-const krb5_data kdf_sha256_id = { KV5M_DATA, sizeof(kdf_sha256), kdf_sha256 };
-const krb5_data kdf_sha512_id = { KV5M_DATA, sizeof(kdf_sha512), kdf_sha512 };
+const krb5_data kdf_sha1_id = DATA_FROM_ARRAY(kdf_sha1);
+const krb5_data kdf_sha256_id = DATA_FROM_ARRAY(kdf_sha256);
+const krb5_data kdf_sha512_id = DATA_FROM_ARRAY(kdf_sha512);
 
 krb5_data const * const supported_kdf_alg_ids[] = {
     &kdf_sha256_id,
@@ -55,81 +63,69 @@ krb5_data const * const supported_kdf_alg_ids[] = {
 
 /* RFC 3370 sha-1: iso(1) identified-organization(3) oiw(14) secsig(3)
  * algorithm(2) 26 */
-static char cms_sha1[] = { 0x2b, 0x0e, 0x03, 0x02, 0x1a };
+static uint8_t cms_sha1[] = { 0x2b, 0x0e, 0x03, 0x02, 0x1a };
 /* RFC 5754 id-sha256: joint-iso-itu-t(2) country(16) us(840) organization(1)
  * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 */
-static char cms_sha256[] = {
+static uint8_t cms_sha256[] = {
     0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
 };
 /* RFC 5754 id-sha384: joint-iso-itu-t(2) country(16) us(840) organization(1)
  * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 */
-static char cms_sha384[] = {
+static uint8_t cms_sha384[] = {
     0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02
 };
 /* RFC 5754 id-sha512: joint-iso-itu-t(2) country(16) us(840) organization(1)
  * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 */
-static char cms_sha512[] = {
+static uint8_t cms_sha512[] = {
     0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03
 };
 
-const krb5_data cms_sha1_id = { KV5M_DATA, sizeof(cms_sha1), cms_sha1 };
-const krb5_data cms_sha256_id = { KV5M_DATA, sizeof(cms_sha256), cms_sha256 };
-const krb5_data cms_sha384_id = { KV5M_DATA, sizeof(cms_sha384), cms_sha384 };
-const krb5_data cms_sha512_id = { KV5M_DATA, sizeof(cms_sha512), cms_sha512 };
+const krb5_data cms_sha1_id = DATA_FROM_ARRAY(cms_sha1);
+const krb5_data cms_sha256_id = DATA_FROM_ARRAY(cms_sha256);
+const krb5_data cms_sha384_id = DATA_FROM_ARRAY(cms_sha384);
+const krb5_data cms_sha512_id = DATA_FROM_ARRAY(cms_sha512);
 
 /* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
  * rsadsi(113549) pkcs(1) 1 11 */
-static char sha256WithRSAEncr_oid[9] = {
+static uint8_t sha256WithRSAEncr_oid[9] = {
     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
 };
 /* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
  * rsadsi(113549) pkcs(1) 1 13 */
-static char sha512WithRSAEncr_oid[9] = {
+static uint8_t sha512WithRSAEncr_oid[9] = {
     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
 };
 
 /* RFC 3279 ecdsa-with-SHA1: iso(1) member-body(2) us(840) ansi-X9-62(10045)
  * signatures(4) 1 */
-static char ecdsaWithSha1_oid[] = {
+static uint8_t ecdsaWithSha1_oid[] = {
     0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01
 };
 
 /* RFC 5758 ecdsa-with-SHA256: iso(1) member-body(2) us(840) ansi-X9-62(10045)
  * signatures(4) ecdsa-with-SHA2(3) 2 */
-static char ecdsaWithSha256_oid[] = {
+static uint8_t ecdsaWithSha256_oid[] = {
     0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02
 };
 
 /* RFC 5758 ecdsa-with-SHA384: iso(1) member-body(2) us(840) ansi-X9-62(10045)
  * signatures(4) ecdsa-with-SHA2(3) 3 */
-static char ecdsaWithSha384_oid[] = {
+static uint8_t ecdsaWithSha384_oid[] = {
     0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03
 };
 
 /* RFC 5758 ecdsa-with-SHA512: iso(1) member-body(2) us(840) ansi-X9-62(10045)
  * signatures(4) ecdsa-with-SHA2(3) 4 */
-static char ecdsaWithSha512_oid[] = {
+static uint8_t ecdsaWithSha512_oid[] = {
     0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
 };
 
-const krb5_data sha256WithRSAEncr_id = {
-    KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid
-};
-const krb5_data sha512WithRSAEncr_id = {
-    KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid
-};
-const krb5_data ecdsaWithSha1_id = {
-    KV5M_DATA, sizeof(ecdsaWithSha1_oid), ecdsaWithSha1_oid
-};
-const krb5_data ecdsaWithSha256_id = {
-    KV5M_DATA, sizeof(ecdsaWithSha256_oid), ecdsaWithSha256_oid
-};
-const krb5_data ecdsaWithSha384_id = {
-    KV5M_DATA, sizeof(ecdsaWithSha384_oid), ecdsaWithSha384_oid
-};
-const krb5_data ecdsaWithSha512_id = {
-    KV5M_DATA, sizeof(ecdsaWithSha512_oid), ecdsaWithSha512_oid
-};
+const krb5_data sha256WithRSAEncr_id = DATA_FROM_ARRAY(sha256WithRSAEncr_oid);
+const krb5_data sha512WithRSAEncr_id = DATA_FROM_ARRAY(sha512WithRSAEncr_oid);
+const krb5_data ecdsaWithSha1_id = DATA_FROM_ARRAY(ecdsaWithSha1_oid);
+const krb5_data ecdsaWithSha256_id = DATA_FROM_ARRAY(ecdsaWithSha256_oid);
+const krb5_data ecdsaWithSha384_id = DATA_FROM_ARRAY(ecdsaWithSha384_oid);
+const krb5_data ecdsaWithSha512_id = DATA_FROM_ARRAY(ecdsaWithSha512_oid);
 
 krb5_data const * const supported_cms_algs[] = {
     &ecdsaWithSha512_id,