From 18a9d6d38615e298f41dc8f44da4bada9858801e Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 30 Dec 2022 09:46:07 +0800 Subject: krb5: upgrade 1.17.2 -> 1.20.1 Release Notes: https://web.mit.edu/kerberos/krb5-1.20/krb5-1.20.1.html License-Update: Update AES algorithm copyright [1] Update copyright years [2] [1] https://github.com/krb5/krb5/commit/cb5f190056ef4d123c5fe5d4923982b830288438 [2] https://github.com/krb5/krb5/commit/f1535bf6b47e8dc03d69fcfb98e798546ff7c272 * Update PACKAGECONFIG[keyutils] and drop the local patch. * Drop backport CVE patches. * Inherit pkgconfig bbclass to find com_err library correctly. * Drop --without-tcl option as it has been removed upstream. Signed-off-by: Yi Zhao Signed-off-by: Khem Raj --- ...d-parameter-to-disable-keyutils-detection.patch | 32 ---- .../krb5/krb5/CVE-2021-36222.patch | 121 ------------- .../krb5/krb5/CVE-2021-37750.patch | 53 ------ meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb | 199 --------------------- meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb | 198 ++++++++++++++++++++ 5 files changed, 198 insertions(+), 405 deletions(-) delete mode 100644 meta-oe/recipes-connectivity/krb5/krb5/0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch delete mode 100644 meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch delete mode 100644 meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch delete mode 100644 meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb create mode 100644 meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb diff --git a/meta-oe/recipes-connectivity/krb5/krb5/0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch b/meta-oe/recipes-connectivity/krb5/krb5/0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch deleted file mode 100644 index cbd5d71fdf..0000000000 --- a/meta-oe/recipes-connectivity/krb5/krb5/0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a9e4057bfda190ad365b503af058b460ab8c7616 Mon Sep 17 00:00:00 2001 -From: Martin Jansa -Date: Tue, 1 Oct 2013 22:22:57 +0200 -Subject: [PATCH] aclocal: Add parameter to disable keyutils detection - -Signed-off-by: Martin Jansa - ---- - aclocal.m4 | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/aclocal.m4 b/aclocal.m4 -index d6d1279..80ce604 100644 ---- a/aclocal.m4 -+++ b/aclocal.m4 -@@ -1679,12 +1679,16 @@ fi - dnl - dnl If libkeyutils exists (on Linux) include it and use keyring ccache - AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ -+AC_ARG_ENABLE([keyutils], -+AC_HELP_STRING([--disable-keyutils],don't enable using keyutils for keyring ccache @<:@enabled@:>@), , enable_keyutils=yes) -+if test "$enable_keyutils" = yes; then - AC_CHECK_HEADERS([keyutils.h], - AC_CHECK_LIB(keyutils, add_key, - [dnl Pre-reqs were found - AC_DEFINE(USE_KEYRING_CCACHE, 1, [Define if the keyring ccache should be enabled]) - LIBS="-lkeyutils $LIBS" - ])) -+fi - ])dnl - dnl - dnl If libkeyutils supports persistent keyrings, use them diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch deleted file mode 100644 index fee6e64c15..0000000000 --- a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch +++ /dev/null @@ -1,121 +0,0 @@ -From fc98f520caefff2e5ee9a0026fdf5109944b3562 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton -Date: Wed, 7 Jul 2021 11:47:44 +1200 -Subject: [PATCH] Fix KDC null deref on bad encrypted challenge - -The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check -to avoid further processing if the armor key is NULL. However, this -check is bypassed by a call to k5memdup0() which overwrites retval -with 0 if the allocation succeeds. If the armor key is NULL, a call -to krb5_c_fx_cf2_simple() will then dereference it, resulting in a -crash. Add a check before the k5memdup0() call to avoid overwriting -retval. - -CVE-2021-36222: - -In MIT krb5 releases 1.16 and later, an unauthenticated attacker can -cause a null dereference in the KDC by sending a request containing a -PA-ENCRYPTED-CHALLENGE padata element without using FAST. - -[ghudson@mit.edu: trimmed patch; added test case; edited commit -message] - -ticket: 9007 (new) -tags: pullup -target_version: 1.19-next -target_version: 1.18-next - -CVE: CVE-2021-36222 - -Upstream-Status: Backport -[https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562] - -Signed-off-by: Yi Zhao ---- - src/kdc/kdc_preauth_ec.c | 3 ++- - src/tests/Makefile.in | 1 + - src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++ - 3 files changed, 49 insertions(+), 1 deletion(-) - create mode 100644 src/tests/t_cve-2021-36222.py - -diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c -index 7e636b3f9..43a9902cc 100644 ---- a/src/kdc/kdc_preauth_ec.c -+++ b/src/kdc/kdc_preauth_ec.c -@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, - } - - /* Check for a configured FAST ec auth indicator. */ -- realmstr = k5memdup0(realm.data, realm.length, &retval); -+ if (retval == 0) -+ realmstr = k5memdup0(realm.data, realm.length, &retval); - if (realmstr != NULL) - retval = profile_get_string(context->profile, KRB5_CONF_REALMS, - realmstr, -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index fc6fcc0c3..1a1938306 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self - $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS) - $(RM) au.log - $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \ -diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py -new file mode 100644 -index 000000000..57e04993b ---- /dev/null -+++ b/src/tests/t_cve-2021-36222.py -@@ -0,0 +1,46 @@ -+import socket -+from k5test import * -+ -+realm = K5Realm() -+ -+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth -+# without FAST -+ -+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) -+a = (hostname, realm.portbase) -+ -+m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE -+ 'A103' '0201' '05' # [1] pvno = 5 -+ 'A203' '0201' '0A' # [2] msg-type = 10 -+ 'A30E' '300C' # [3] padata = SEQUENCE OF -+ '300A' # SEQUENCE -+ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE -+ 'A202' '0400' # [2] padata-value = "" -+ 'A48180' '307E' # [4] req-body = SEQUENCE -+ 'A007' '0305' '0000000000' # [0] kdc-options = 0 -+ 'A120' '301E' # [1] cname = SEQUENCE -+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL -+ 'A117' '3015' # [1] name-string = SEQUENCE-OF -+ '1B06' '6B7262746774' # krbtgt -+ '1B0B' '4B5242544553542E434F4D' -+ # KRBTEST.COM -+ 'A20D' '1B0B' '4B5242544553542E434F4D' -+ # [2] realm = KRBTEST.COM -+ 'A320' '301E' # [3] sname = SEQUENCE -+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL -+ 'A117' '3015' # [1] name-string = SEQUENCE-OF -+ '1B06' '6B7262746774' # krbtgt -+ '1B0B' '4B5242544553542E434F4D' -+ # KRBTEST.COM -+ 'A511' '180F' '31393934303631303036303331375A' -+ # [5] till = 19940610060317Z -+ 'A703' '0201' '00' # [7] nonce = 0 -+ 'A808' '3006' # [8] etype = SEQUENCE OF -+ '020112' '020111') # aes256-cts aes128-cts -+ -+s.sendto(bytes.fromhex(m), a) -+ -+# Make sure kinit still works. -+realm.kinit(realm.user_princ, password('user')) -+ -+success('CVE-2021-36222 regression test') --- -2.25.1 - diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch deleted file mode 100644 index c67bca32e7..0000000000 --- a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-37750.patch +++ /dev/null @@ -1,53 +0,0 @@ -From b3999be7ab59a5af4b2f1042ce0d6b03ecb17d4e Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 3 Aug 2021 01:15:27 -0400 -Subject: [PATCH] Fix KDC null deref on TGS inner body null server - -After the KDC decodes a FAST inner body, it does not check for a null -server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this -would typically result in an error from krb5_unparse_name(), but with -the addition of get_local_tgt() it results in a null dereference. Add -a null check. - -Reported by Joseph Sutton of Catalyst. - -CVE-2021-37750: - -In MIT krb5 releases 1.14 and later, an authenticated attacker can -cause a null dereference in the KDC by sending a FAST TGS request with -no server field. - -ticket: 9008 (new) -tags: pullup -target_version: 1.19-next -target_version: 1.18-next - -CVE: CVE-2021-37750 - -Upstream-Status: Backport -[https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49] - -Signed-off-by: Yi Zhao ---- - src/kdc/do_tgs_req.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 587342a..622b48f 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -201,6 +201,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, - status = "FIND_FAST"; - goto cleanup; - } -+ if (sprinc == NULL) { -+ status = "NULL_SERVER"; -+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; -+ goto cleanup; -+ } - - errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server, - &local_tgt, &local_tgt_storage); --- -2.17.1 - diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb deleted file mode 100644 index 6e0b2fdacb..0000000000 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb +++ /dev/null @@ -1,199 +0,0 @@ -SUMMARY = "A network authentication protocol" -DESCRIPTION = "Kerberos is a system for authenticating users and services on a network. \ - Kerberos is a trusted third-party service. That means that there is a \ - third party (the Kerberos server) that is trusted by all the entities on \ - the network (users and services, usually called "principals"). \ - . \ - This is the MIT reference implementation of Kerberos V5. \ - . \ - This package contains the Kerberos key server (KDC). The KDC manages all \ - authentication credentials for a Kerberos realm, holds the master keys \ - for the realm, and responds to authentication requests. This package \ - should be installed on both master and slave KDCs." - -HOMEPAGE = "http://web.mit.edu/Kerberos/" -SECTION = "console/network" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=dd4d0ad4c5e98abb58aa0d312f276791" -DEPENDS = "bison-native ncurses util-linux e2fsprogs e2fsprogs-native openssl" - -inherit autotools-brokensep binconfig perlnative systemd update-rc.d - -SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" -SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ - file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \ - file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \ - file://crosscompile_nm.patch \ - file://etc/init.d/krb5-kdc \ - file://etc/init.d/krb5-admin-server \ - file://etc/default/krb5-kdc \ - file://etc/default/krb5-admin-server \ - file://krb5-kdc.service \ - file://krb5-admin-server.service \ - file://CVE-2021-36222.patch;striplevel=2 \ - file://CVE-2021-37750.patch;striplevel=2 \ -" -SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f" -SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134" - -CVE_PRODUCT = "kerberos" -CVE_VERSION = "5-${PV}" - -S = "${WORKDIR}/${BP}/src" - -PACKAGECONFIG ??= "pkinit" -PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" -PACKAGECONFIG[openssl] = "--with-crypto-impl=openssl,,openssl" -PACKAGECONFIG[keyutils] = "--enable-keyutils,--disable-keyutils,keyutils" -PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap" -PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline" -PACKAGECONFIG[pkinit] = "--enable-pkinit, --disable-pkinit" - -EXTRA_OECONF += " --without-tcl --with-system-et --disable-rpath" -CACHED_CONFIGUREVARS += "krb5_cv_attr_constructor_destructor=yes ac_cv_func_regcomp=yes \ - ac_cv_printf_positional=yes ac_cv_file__etc_environment=yes \ - ac_cv_file__etc_TIMEZONE=no" - -CFLAGS:append = " -fPIC -DDESTRUCTOR_ATTR_WORKS=1 -I${STAGING_INCDIR}/et" -CFLAGS:append:riscv64 = " -D_REENTRANT -pthread" -LDFLAGS:append = " -pthread" - -do_configure() { - gnu-configize --force - autoreconf - oe_runconf -} - -do_install:append() { - rm -rf ${D}/${localstatedir}/run - rm -f ${D}${bindir}/sclient - rm -f ${D}${bindir}/sim_client - rm -f ${D}${bindir}/uuclient - rm -f ${D}${sbindir}/krb5-send-pr - rm -f ${D}${sbindir}/sim_server - rm -f ${D}${sbindir}/sserver - rm -f ${D}${sbindir}/uuserver - - if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then - mkdir -p ${D}/${sysconfdir}/init.d ${D}/${sysconfdir}/default - install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/${sysconfdir}/init.d - install -m 0644 ${WORKDIR}/etc/default/* ${D}/${sysconfdir}/default - - mkdir -p ${D}/${sysconfdir}/default/volatiles - echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \ - > ${D}${sysconfdir}/default/volatiles/87_krb5 - - echo "RUN_KADMIND=true" >> ${D}/${sysconfdir}/default/krb5-admin-server - fi - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /run/krb5kdc - - - -" \ - > ${D}${sysconfdir}/tmpfiles.d/krb5.conf - - mkdir -p ${D}/${sysconfdir}/default - install -m 0644 ${WORKDIR}/etc/default/* ${D}/${sysconfdir}/default - - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/krb5-admin-server.service ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/krb5-kdc.service ${D}${systemd_system_unitdir} - fi - - sed -e 's@[^ ]*-ffile-prefix-map=[^ "]*@@g' \ - -e 's@[^ ]*-fdebug-prefix-map=[^ "]*@@g' \ - -e 's@[^ ]*-fmacro-prefix-map=[^ "]*@@g' \ - -i ${D}${bindir}/krb5-config -} - -PACKAGES =+ "${PN}-admin-server \ - ${PN}-gss-samples \ - ${PN}-k5tls \ - ${PN}-kdc \ - ${PN}-kdc-ldap \ - ${PN}-kpropd \ - ${PN}-otp \ - ${PN}-pkinit \ - ${PN}-spake \ - ${PN}-user \ - libgssapi-krb5 \ - libgssrpc \ - libk5crypto \ - libkadm5clnt-mit \ - libkadm5srv-mit \ - libkdb5 \ - libkrad \ - libkrb5 \ - libkrb5support \ - libverto" - -FILES:${PN} = "${libdir}/krb5/plugins/preauth/test.so" -FILES:${PN}-doc += "${datadir}/examples" -FILES:${PN}-dbg += "${libdir}/krb5/plugins/*/.debug" - -FILES:${PN}-admin-server = "${sbindir}/kadmin.local \ - ${sbindir}/kadmind \ - ${sbindir}/kprop \ - ${sysconfdir}/default/krb5-admin-server \ - ${sysconfdir}/init.d/krb5-admin-server \ - ${systemd_system_unitdir}/krb5-admin-server.service" - -FILES:${PN}-gss-samples = "${bindir}/gss-client \ - ${sbindir}/gss-server" - -FILES:${PN}-k5tls = "${libdir}/krb5/plugins/tls/k5tls.so" - -FILES:${PN}-kdc = "${libdir}/krb5/plugins/kdb/db2.so \ - ${localstatedir}/krb5kdc \ - ${sbindir}/kdb5_util \ - ${sbindir}/kproplog \ - ${sbindir}/krb5kdc \ - ${sysconfdir}/default/krb5-kdc \ - ${sysconfdir}/default/volatiles/87_krb5 \ - ${sysconfdir}/init.d/krb5-kdc \ - ${sysconfdir}/tmpfiles.d/krb5.conf \ - ${systemd_system_unitdir}/krb5-kdc.service" - -FILES:${PN}-kdc-ldap = "${libdir}/krb5/libkdb_ldap${SOLIBS} \ - ${libdir}/krb5/plugins/kdb/kldap.so \ - ${sbindir}/kdb5_ldap_util" - -FILES:${PN}-kpropd = "${sbindir}/kpropd" -FILES:${PN}-otp = "${libdir}/krb5/plugins/preauth/otp.so" -FILES:${PN}-pkinit = "${libdir}/krb5/plugins/preauth/pkinit.so" -FILES:${PN}-spake = "${libdir}/krb5/plugins/preauth/spake.so" -FILES:${PN}-user = "${bindir}/k*" - -FILES:libgssapi-krb5 = "${libdir}/libgssapi_krb5${SOLIBS}" -FILES:libgssrpc = "${libdir}/libgssrpc${SOLIBS}" -FILES:libk5crypto = "${libdir}/libk5crypto${SOLIBS}" -FILES:libkadm5clnt-mit = "${libdir}/libkadm5clnt_mit${SOLIBS}" -FILES:libkadm5srv-mit = "${libdir}/libkadm5srv_mit${SOLIBS}" -FILES:libkdb5 = "${libdir}/libkdb5${SOLIBS}" -FILES:libkrad = "${libdir}/libkrad${SOLIBS}" -FILES:libkrb5 = "${libdir}/libkrb5${SOLIBS} \ - ${libdir}/krb5/plugins/authdata \ - ${libdir}/krb5/plugins/libkrb5" -FILES:libkrb5support = "${libdir}/libkrb5support${SOLIBS}" -FILES:libverto = "${libdir}/libverto${SOLIBS}" - -RDEPENDS:${PN}-kadmin-server = "${PN}-kdc" -RDEPENDS:${PN}-kpropd = "${PN}-kdc" - -INITSCRIPT_PACKAGES = "${PN}-admin-server ${PN}-kdc" -INITSCRIPT_NAME:${PN}-admin-server = "krb5-admin-server" -INITSCRIPT_NAME:${PN}-kdc = "krb5-kdc" - -SYSTEMD_PACKAGES = "${PN}-admin-server ${PN}-kdc" -SYSTEMD_SERVICE:${PN}-admin-server = "krb5-admin-server.service" -SYSTEMD_SERVICE:${PN}-kdc = "krb5-kdc.service" - -pkg_postinst:${PN}-kdc () { - if [ -z "$D" ]; then - if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf - elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update - fi - fi -} - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb new file mode 100644 index 0000000000..2221000e3b --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb @@ -0,0 +1,198 @@ +SUMMARY = "A network authentication protocol" +DESCRIPTION = "Kerberos is a system for authenticating users and services on a network. \ + Kerberos is a trusted third-party service. That means that there is a \ + third party (the Kerberos server) that is trusted by all the entities on \ + the network (users and services, usually called "principals"). \ + . \ + This is the MIT reference implementation of Kerberos V5. \ + . \ + This package contains the Kerberos key server (KDC). The KDC manages all \ + authentication credentials for a Kerberos realm, holds the master keys \ + for the realm, and responds to authentication requests. This package \ + should be installed on both master and slave KDCs." + +HOMEPAGE = "http://web.mit.edu/Kerberos/" +SECTION = "console/network" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=1d31018dba5a0ef195eb426a1e61f02e" + +inherit autotools-brokensep binconfig perlnative systemd update-rc.d pkgconfig + +SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" +SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ + file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \ + file://crosscompile_nm.patch \ + file://etc/init.d/krb5-kdc \ + file://etc/init.d/krb5-admin-server \ + file://etc/default/krb5-kdc \ + file://etc/default/krb5-admin-server \ + file://krb5-kdc.service \ + file://krb5-admin-server.service \ +" +SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686" +SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851" + +CVE_PRODUCT = "kerberos" +CVE_VERSION = "5-${PV}" + +S = "${WORKDIR}/${BP}/src" + +DEPENDS = "bison-native ncurses util-linux e2fsprogs e2fsprogs-native openssl" + +PACKAGECONFIG ??= "pkinit" +PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" +PACKAGECONFIG[openssl] = "--with-crypto-impl=openssl,,openssl" +PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils" +PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap" +PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline" +PACKAGECONFIG[pkinit] = "--enable-pkinit, --disable-pkinit" + +EXTRA_OECONF += "--with-system-et --disable-rpath" +CACHED_CONFIGUREVARS += "krb5_cv_attr_constructor_destructor=yes ac_cv_func_regcomp=yes \ + ac_cv_printf_positional=yes ac_cv_file__etc_environment=yes \ + ac_cv_file__etc_TIMEZONE=no" + +CFLAGS:append = " -fPIC -DDESTRUCTOR_ATTR_WORKS=1 -I${STAGING_INCDIR}/et" +CFLAGS:append:riscv64 = " -D_REENTRANT -pthread" +LDFLAGS:append = " -pthread" + +do_configure() { + gnu-configize --force + autoreconf + oe_runconf +} + +do_install:append() { + rm -rf ${D}/${localstatedir}/run + rm -f ${D}${bindir}/sclient + rm -f ${D}${bindir}/sim_client + rm -f ${D}${bindir}/uuclient + rm -f ${D}${sbindir}/krb5-send-pr + rm -f ${D}${sbindir}/sim_server + rm -f ${D}${sbindir}/sserver + rm -f ${D}${sbindir}/uuserver + + if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then + mkdir -p ${D}/${sysconfdir}/init.d ${D}/${sysconfdir}/default + install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/${sysconfdir}/init.d + install -m 0644 ${WORKDIR}/etc/default/* ${D}/${sysconfdir}/default + + mkdir -p ${D}/${sysconfdir}/default/volatiles + echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \ + > ${D}${sysconfdir}/default/volatiles/87_krb5 + + echo "RUN_KADMIND=true" >> ${D}/${sysconfdir}/default/krb5-admin-server + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /run/krb5kdc - - - -" \ + > ${D}${sysconfdir}/tmpfiles.d/krb5.conf + + mkdir -p ${D}/${sysconfdir}/default + install -m 0644 ${WORKDIR}/etc/default/* ${D}/${sysconfdir}/default + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/krb5-admin-server.service ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/krb5-kdc.service ${D}${systemd_system_unitdir} + fi + + sed -e 's@[^ ]*-ffile-prefix-map=[^ "]*@@g' \ + -e 's@[^ ]*-fdebug-prefix-map=[^ "]*@@g' \ + -e 's@[^ ]*-fmacro-prefix-map=[^ "]*@@g' \ + -i ${D}${bindir}/krb5-config +} + +PACKAGES =+ "${PN}-admin-server \ + ${PN}-gss-samples \ + ${PN}-k5tls \ + ${PN}-kdc \ + ${PN}-kdc-ldap \ + ${PN}-kpropd \ + ${PN}-otp \ + ${PN}-pkinit \ + ${PN}-spake \ + ${PN}-user \ + libgssapi-krb5 \ + libgssrpc \ + libk5crypto \ + libkadm5clnt-mit \ + libkadm5srv-mit \ + libkdb5 \ + libkrad \ + libkrb5 \ + libkrb5support \ + libverto" + +FILES:${PN} = "${libdir}/krb5/plugins/preauth/test.so" +FILES:${PN}-doc += "${datadir}/examples" +FILES:${PN}-dbg += "${libdir}/krb5/plugins/*/.debug" + +FILES:${PN}-admin-server = "${sbindir}/kadmin.local \ + ${sbindir}/kadmind \ + ${sbindir}/kprop \ + ${sysconfdir}/default/krb5-admin-server \ + ${sysconfdir}/init.d/krb5-admin-server \ + ${systemd_system_unitdir}/krb5-admin-server.service" + +FILES:${PN}-gss-samples = "${bindir}/gss-client \ + ${sbindir}/gss-server" + +FILES:${PN}-k5tls = "${libdir}/krb5/plugins/tls/k5tls.so" + +FILES:${PN}-kdc = "${libdir}/krb5/plugins/kdb/db2.so \ + ${localstatedir}/krb5kdc \ + ${sbindir}/kdb5_util \ + ${sbindir}/kproplog \ + ${sbindir}/krb5kdc \ + ${sysconfdir}/default/krb5-kdc \ + ${sysconfdir}/default/volatiles/87_krb5 \ + ${sysconfdir}/init.d/krb5-kdc \ + ${sysconfdir}/tmpfiles.d/krb5.conf \ + ${systemd_system_unitdir}/krb5-kdc.service" + +FILES:${PN}-kdc-ldap = "${libdir}/krb5/libkdb_ldap${SOLIBS} \ + ${libdir}/krb5/plugins/kdb/kldap.so \ + ${sbindir}/kdb5_ldap_util" + +FILES:${PN}-kpropd = "${sbindir}/kpropd" +FILES:${PN}-otp = "${libdir}/krb5/plugins/preauth/otp.so" +FILES:${PN}-pkinit = "${libdir}/krb5/plugins/preauth/pkinit.so" +FILES:${PN}-spake = "${libdir}/krb5/plugins/preauth/spake.so" +FILES:${PN}-user = "${bindir}/k*" + +FILES:libgssapi-krb5 = "${libdir}/libgssapi_krb5${SOLIBS}" +FILES:libgssrpc = "${libdir}/libgssrpc${SOLIBS}" +FILES:libk5crypto = "${libdir}/libk5crypto${SOLIBS}" +FILES:libkadm5clnt-mit = "${libdir}/libkadm5clnt_mit${SOLIBS}" +FILES:libkadm5srv-mit = "${libdir}/libkadm5srv_mit${SOLIBS}" +FILES:libkdb5 = "${libdir}/libkdb5${SOLIBS}" +FILES:libkrad = "${libdir}/libkrad${SOLIBS}" +FILES:libkrb5 = "${libdir}/libkrb5${SOLIBS} \ + ${libdir}/krb5/plugins/authdata \ + ${libdir}/krb5/plugins/libkrb5" +FILES:libkrb5support = "${libdir}/libkrb5support${SOLIBS}" +FILES:libverto = "${libdir}/libverto${SOLIBS}" + +RDEPENDS:${PN}-kadmin-server = "${PN}-kdc" +RDEPENDS:${PN}-kpropd = "${PN}-kdc" + +INITSCRIPT_PACKAGES = "${PN}-admin-server ${PN}-kdc" +INITSCRIPT_NAME:${PN}-admin-server = "krb5-admin-server" +INITSCRIPT_NAME:${PN}-kdc = "krb5-kdc" + +SYSTEMD_PACKAGES = "${PN}-admin-server ${PN}-kdc" +SYSTEMD_SERVICE:${PN}-admin-server = "krb5-admin-server.service" +SYSTEMD_SERVICE:${PN}-kdc = "krb5-kdc.service" + +pkg_postinst:${PN}-kdc () { + if [ -z "$D" ]; then + if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + fi +} + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3-54-g00ecf