openclaw/tqma6-yocto-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete Yocto mirror with license table for TQMa6UL (2038-compliance)

Browse Source 
- 264 license table entries with exact download URLs (224/264 resolved)
- Complete sources/ directory with all BitBake recipes
- Build configuration: tqma6ul-multi-mba6ulx, spaetzle (musl)
- Full traceability for Softwarefreigabeantrag
- GCC 13.4.0, Linux 6.6.102, U-Boot 2023.04, musl 1.2.4
- License distribution: GPL-2.0 (24), MIT (23), GPL-2.0+ (18), BSD-3 (16)
This commit is contained in:
Siggi (OpenClaw Agent)
2026-03-01 20:58:18 +00:00
commit 16accb6b24
15086 changed files with 1292356 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

207
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch Normal file
View File

@@ -0,0 +1,207 @@
From c5f9c816107f70139de11b38aa02db2f1774ee0d Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 5 Mar 2024 19:53:07 -0500
Subject: [PATCH] Fix two unlikely memory leaks
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
could probably never be triggered) leaks plain.data. Fix this leak
and use current practices for cleanup throughout the function.
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
store port_ptr into crp->port_ptr as soon as it is allocated;
otherwise it could leak if the subsequent xdr_u_int32() operation
fails.
CVE: CVE-2024-26458 CVE-2024-26461
Upstream-Status: Backport [https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
src/lib/rpc/pmap_rmt.c | 9 +++---
2 files changed, 29 insertions(+), 36 deletions(-)
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index 1fcbdfb..d3210c1 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
int conf_req_flag, int toktype)
{
size_t bufsize = 16;
- unsigned char *outbuf = 0;
+ unsigned char *outbuf = NULL;
krb5_error_code err;
int key_usage;
unsigned char acceptor_flag;
@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
size_t ec;
unsigned short tok_id;
- krb5_checksum sum;
+ krb5_checksum sum = { 0 };
krb5_key key;
krb5_cksumtype cksumtype;
+ krb5_data plain = empty_data();
+
+ token->value = NULL;
+ token->length = 0;
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
- krb5_data plain;
krb5_enc_data cipher;
size_t ec_max;
size_t encrypt_size;
/* 300: Adds some slop. */
- if (SIZE_MAX - 300 < message->length)
- return ENOMEM;
+ if (SIZE_MAX - 300 < message->length) {
+ err = ENOMEM;
+ goto cleanup;
+ }
ec_max = SIZE_MAX - message->length - 300;
if (ec_max > 0xffff)
ec_max = 0xffff;
@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
#endif
err = alloc_data(&plain, message->length + 16 + ec);
if (err)
- return err;
+ goto cleanup;
/* Get size of ciphertext. */
encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
if (encrypt_size > SIZE_MAX / 2) {
err = ENOMEM;
- goto error;
+ goto cleanup;
}
bufsize = 16 + encrypt_size;
/* Allocate space for header plus encrypted data. */
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
- free(plain.data);
- return ENOMEM;
+ err = ENOMEM;
+ goto cleanup;
}
/* TOK_ID */
@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
cipher.ciphertext.length = bufsize - 16;
cipher.enctype = key->keyblock.enctype;
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
if (err)
- goto error;
+ goto cleanup;
/* Now that we know we're returning a valid token.... */
ctx->seq_send++;
@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
/* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
- krb5_data plain;
size_t cksumsize;
/* Here, message is the application-supplied data; message2 is
@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
wrap_with_checksum:
err = alloc_data(&plain, message->length + 16);
if (err)
- return err;
+ goto cleanup;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
- goto error;
+ goto cleanup;
assert(cksumsize <= 0xffff);
bufsize = 16 + message2->length + cksumsize;
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
- free(plain.data);
- plain.data = 0;
err = ENOMEM;
- goto error;
+ goto cleanup;
}
/* TOK_ID */
@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
if (message2->length)
memcpy(outbuf + 16, message2->value, message2->length);
- sum.contents = outbuf + 16 + message2->length;
- sum.length = cksumsize;
-
err = krb5_k_make_checksum(context, cksumtype, key,
key_usage, &plain, &sum);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
if (err) {
zap(outbuf,bufsize);
- goto error;
+ goto cleanup;
}
if (sum.length != cksumsize)
abort();
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
- krb5_free_checksum_contents(context, &sum);
- sum.contents = 0;
/* Now that we know we're actually generating the token... */
ctx->seq_send++;
@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
token->value = outbuf;
token->length = bufsize;
- return 0;
+ outbuf = NULL;
+ err = 0;
-error:
+cleanup:
+ krb5_free_checksum_contents(context, &sum);
+ zapfree(plain.data, plain.length);
gssalloc_free(outbuf);
- token->value = NULL;
- token->length = 0;
return err;
}
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
index 8c7e30c..522cb20 100644
--- a/src/lib/rpc/pmap_rmt.c
+++ b/src/lib/rpc/pmap_rmt.c
@@ -160,11 +160,12 @@ xdr_rmtcallres(
caddr_t port_ptr;
port_ptr = (caddr_t)(void *)crp->port_ptr;
- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
- crp->port_ptr = (uint32_t *)(void *)port_ptr;
+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+ (xdrproc_t)xdr_u_int32))
+ return (FALSE);
+ crp->port_ptr = (uint32_t *)(void *)port_ptr;
+ if (xdr_u_int32(xdrs, &crp->resultslen))
return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
- }
return (FALSE);
}
--
2.40.0

68
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch Normal file
View File

@@ -0,0 +1,68 @@
From 78ceba024b64d49612375be4a12d1c066b0bfbd0 Mon Sep 17 00:00:00 2001
From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
Date: Tue, 28 Jan 2025 16:39:25 -0500
Subject: [PATCH] Prevent overflow when calculating ulog block size
In kdb_log.c:resize(), log an error and fail if the update size is
larger than the largest possible block size (2^16-1).
CVE-2025-24528:
In MIT krb5 release 1.7 and later with incremental propagation
enabled, an authenticated attacker can cause kadmind to write beyond
the end of the mapped region for the iprop log file, likely causing a
process crash.
[ghudson@mit.edu: edited commit message and added CVE description]
ticket: 9159 (new)
tags: pullup
target_version: 1.21-next
CVE: CVE-2025-24528
Upstream-Status: Backport [https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0]
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
src/lib/kdb/kdb_log.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 2659a25..68fae91 100644
--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
*/
static krb5_error_code
resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
- unsigned int recsize)
+ unsigned int recsize, const kdb_incr_update_t *upd)
{
unsigned int new_block, new_size;
@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
new_block *= ULOG_BLOCK;
new_size += ulogentries * new_block;
+ if (new_block > UINT16_MAX) {
+ syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
+ upd->kdb_princ_name.utf8str_t_len,
+ upd->kdb_princ_name.utf8str_t_val);
+ return KRB5_LOG_ERROR;
+ }
if (new_size > MAXLOGLEN)
return KRB5_LOG_ERROR;
@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
recsize = sizeof(kdb_ent_header_t) + upd_size;
if (recsize > ulog->kdb_block) {
- retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
+ retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
if (retval)
return retval;
}
--
2.40.0

29
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/crosscompile_nm.patch Normal file
View File

@@ -0,0 +1,29 @@
Modifies export-check.pl to use look for $ENV{'NM'} before
defaulting to using 'nm'
Upstream-Status: Pending
Signed-off-by: Amy Fong <amy.fong@windriver.com>
---
export-check.pl | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
Index: src/util/export-check.pl
===================================================================
--- src.orig/util/export-check.pl
+++ src/util/export-check.pl
@@ -38,7 +38,12 @@
my($exfile, $libfile) = @ARGV;
@missing = ();
-open NM, "nm -Dg --defined-only $libfile |" || die "can't run nm on $libfile: $!";
+if (defined($ENV{'NM'})) {
+ $nm = $ENV{'NM'};
+} else {
+ $nm = "nm";
+}
+open NM, "$nm -Dg --defined-only $libfile |" || die "can't run nm on $libfile: $!";
open EXPORT, "< $exfile" || die "can't read $exfile: $!";
@export = <EXPORT>;

48
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/debian-suppress-usr-lib-in-krb5-config.patch Normal file
View File

@@ -0,0 +1,48 @@
Subject: [PATCH] debian: suppress /usr/lib in krb5-config
Upstream-Status: Pending
Handel multi-arch suppressions
The patch is from debian.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
src/build-tools/krb5-config.in | 14 +++++++++-----
1 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
index f6184da..637bad7 100755
--- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -138,6 +138,7 @@ if test -n "$do_help"; then
echo " [--defktname] Show built-in default keytab name"
echo " [--defcktname] Show built-in default client keytab name"
echo " [--cflags] Compile time CFLAGS"
+ echo " [--deps] Include dependent libraries"
echo " [--libs] List libraries required to link [LIBRARIES]"
echo "Libraries:"
echo " krb5 Kerberos 5 application"
@@ -209,11 +210,14 @@ fi
if test -n "$do_libs"; then
# Assumes /usr/lib is the standard library directory everywhere...
- if test "$libdir" = /usr/lib; then
- libdirarg=
- else
- libdirarg="-L$libdir"
- fi
+ case $libdir in
+ /usr/lib*)
+ libdirarg=
+ ;;
+ *)
+ libdirarg="-L$libdir"
+ ;;
+ esac
# Ugly gross hack for our build tree
lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \
-e 's/\$(PURE)//' \
--
1.7.1

4
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/etc/default/krb5-admin-server Normal file
View File

@@ -0,0 +1,4 @@
# Automatically generated. If you change anything in this file other than the
# values of DAEMON_ARGS, first run dpkg-reconfigure
# krb5-admin-server and disable managing the kadmin configuration with
# debconf. Otherwise, changes will be overwritten.

5
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/etc/default/krb5-kdc Normal file
View File

@@ -0,0 +1,5 @@
# Automatically generated. Only the value of DAEMON_ARGS will be preserved.
# If you change anything in this file other than DAEMON_ARGS, first run
# dpkg-reconfigure krb5-kdc and disable managing the KDC configuration with
# debconf. Otherwise, changes will be overwritten.

140
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/etc/init.d/krb5-admin-server Executable file
View File

@@ -0,0 +1,140 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: krb5-admin-server
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Should-Start: krb5-kdc
# Should-Stop: krb5-kdc
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: MIT Kerberos KDC administrative daemon
# Description: Starts, stops, or restarts the MIT Kerberos KDC
# administrative daemon (kadmind). This daemon answers
# requests from kadmin clients and allows administrators
# to create, delete, and modify principals in the KDC
# database.
### END INIT INFO
# Author: Sam Hartman <hartmans@mit.edu>
# Author: Russ Allbery <rra@debian.org>
#
# Based on the /etc/init.d/skeleton template as found in initscripts version
# 2.86.ds1-15.
# June, 2012: Adopted for yocto <amy.fong@windriver.com>
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="Kerberos administrative servers"
NAME=kadmind
DAEMON=/usr/sbin/$NAME
DAEMON_ARGS=""
SCRIPTNAME=/etc/init.d/krb5-admin-server
DEFAULT=/etc/default/krb5-admin-server
# Exit if the package is not installed.
[ -x "$DAEMON" ] || exit 0
# Read configuration if it is present.
[ -r "$DEFAULT" ] && . "$DEFAULT"
# Get the setting of VERBOSE and other rcS variables.
[ -f /etc/default/rcS ] && . /etc/default/rcS
. /etc/init.d/functions
ADMIN_SERVER_LOG=/var/log/kadmind.log
[ -f $ADMIN_SERVER_LOG ] && (test ! -x /sbin/restorecon \
|| /sbin/restorecon -F $ADMIN_SERVER_LOG)
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
do_start()
{
start-stop-daemon --start --quiet --startas $DAEMON --name $NAME --test \
> /dev/null || return 1
start-stop-daemon --start --quiet --startas $DAEMON --name $NAME \
-- $DAEMON_ARGS || return 2
}
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
do_stop()
{
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
return "$RETVAL"
}
case "$1" in
start)
if [ "$RUN_KADMIND" = false ] ; then
if [ "$VERBOSE" != no ] ; then
echo "Not starting $DESC per configuration"
fi
exit 0
fi
[ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && echo 0 ;;
2) [ "$VERBOSE" != no ] && echo 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && echo 0 ;;
2) [ "$VERBOSE" != no ] && echo 1 ;;
esac
;;
restart|force-reload)
if [ "$RUN_KADMIND" = false ] ; then
if [ "$VERBOSE" != no ] ; then
echo "Not restarting $DESC per configuration"
fi
exit 0
fi
echo "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) [ "$VERBOSE" != no ] && echo 0 ;;
*) [ "$VERBOSE" != no ] && echo 1 ;;
esac
;;
*)
echo 1
;;
esac
;;
status)
pidofproc "$DAEMON" >/dev/null
status=$?
if [ $status -eq 0 ]; then
echo "$NAME is running."
else
echo "$NAME is not running."
fi
exit $status
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
exit 3
;;
esac
:

133
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/etc/init.d/krb5-kdc Executable file
View File

@@ -0,0 +1,133 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: krb5-kdc
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# X-Start-Before: $x-display-manager
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: MIT Kerberos KDC
# Description: Starts, stops, or restarts the MIT Kerberos KDC. This
# daemon responds to ticket requests from Kerberos
# clients.
### END INIT INFO
# Author: Sam Hartman <hartmans@mit.edu>
# Author: Russ Allbery <rra@debian.org>
#
# Based on the /etc/init.d/skeleton template as found in initscripts version
# 2.86.ds1-15.
# June, 2012: Adopted for yocto <amy.fong@windriver.com>
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="Kerberos KDC"
NAME=krb5kdc
DAEMON=/usr/sbin/$NAME
DAEMON_ARGS=""
SCRIPTNAME=/etc/init.d/krb5-kdc
# Exit if the package is not installed.
[ -x "$DAEMON" ] || exit 0
# Read configuration if it is present.
[ -r /etc/default/krb5-kdc ] && . /etc/default/krb5-kdc
# Get the setting of VERBOSE and other rcS variables.
[ -f /etc/default/rcS ] && . /etc/default/rcS
. /etc/init.d/functions
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
do_start_kdc()
{
start-stop-daemon --start --quiet --startas $DAEMON --name $NAME --test \
> /dev/null || return 1
start-stop-daemon --start --quiet --startas $DAEMON --name $NAME \
-- $DAEMON_ARGS || return 2
}
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
do_stop_kdc()
{
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
return "$RETVAL"
}
case "$1" in
start)
[ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME"
do_start_kdc
case "$?" in
0|1)
[ "$VERBOSE" != no ] && echo 0
;;
2)
[ "$VERBOSE" != no ] && echo 1
;;
esac
;;
stop)
[ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME"
do_stop_kdc
case "$?" in
0|1)
[ "$VERBOSE" != no ] && echo "krb524d"
;;
2)
[ "$VERBOSE" != no ] && echo 1
;;
esac
;;
restart|force-reload)
echo "Restarting $DESC" "$NAME"
do_stop_kdc
case "$?" in
0|1)
do_start_kdc
case "$?" in
0)
echo 0
;;
1|2)
echo 1
;;
esac
;;
*)
echo 1
;;
esac
;;
status)
pidofproc "$DAEMON" >/dev/null
status=$?
if [ $status -eq 0 ]; then
echo "$NAME is running."
else
echo "$NAME is not running."
fi
exit $status
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
exit 3
;;
esac
:

15
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/krb5-admin-server.service Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=MIT Kerberos KDC administrative daemon
After=syslog.target network.target
ConditionPathExists=/etc/krb5.conf
[Service]
Type=forking
ExecStartPre=/bin/sh -c "test ! -f /var/log/kadmind.log || test ! -x /sbin/restorecon || /sbin/restorecon -F /var/log/kadmind.log"
ExecStart=/usr/sbin/kadmind
EnvironmentFile=-/etc/default/krb5-admin-server
SuccessExitStatus=1 2 SIGKILL
TimeoutStopSec=30
[Install]
WantedBy=multi-user.target

14
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/krb5-kdc.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=MIT Kerberos KDC
After=syslog.target network.target
ConditionPathExists=/etc/krb5.conf
[Service]
Type=forking
ExecStart=/usr/sbin/krb5kdc
EnvironmentFile=-/etc/default/krb5-kdc
SuccessExitStatus=1 2 SIGKILL
TimeoutStopSec=30
[Install]
WantedBy=multi-user.target

203
sources/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb Normal file
View File

@@ -0,0 +1,203 @@
SUMMARY = "A network authentication protocol"
DESCRIPTION = "Kerberos is a system for authenticating users and services on a network. \
Kerberos is a trusted third-party service. That means that there is a \
third party (the Kerberos server) that is trusted by all the entities on \
the network (users and services, usually called "principals"). \
. \
This is the MIT reference implementation of Kerberos V5. \
. \
This package contains the Kerberos key server (KDC). The KDC manages all \
authentication credentials for a Kerberos realm, holds the master keys \
for the realm, and responds to authentication requests. This package \
should be installed on both master and slave KDCs."
HOMEPAGE = "http://web.mit.edu/Kerberos/"
SECTION = "console/network"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=71c06694263581762668e88b7b77a1a5"
inherit autotools-brokensep binconfig perlnative systemd update-rc.d pkgconfig
SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \
file://crosscompile_nm.patch \
file://etc/init.d/krb5-kdc \
file://etc/init.d/krb5-admin-server \
file://etc/default/krb5-kdc \
file://etc/default/krb5-admin-server \
file://krb5-kdc.service \
file://krb5-admin-server.service \
file://CVE-2024-26458_CVE-2024-26461.patch;striplevel=2 \
file://CVE-2025-24528.patch;striplevel=2 \
"
SRC_URI[sha256sum] = "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35"
CVE_PRODUCT = "kerberos"
CVE_VERSION = "5-${PV}"
S = "${WORKDIR}/${BP}/src"
DEPENDS = "bison-native ncurses util-linux e2fsprogs e2fsprogs-native openssl"
PACKAGECONFIG ??= "pkinit"
PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
PACKAGECONFIG[openssl] = "--with-crypto-impl=openssl,,openssl"
PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils"
PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap"
PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
PACKAGECONFIG[pkinit] = "--enable-pkinit, --disable-pkinit"
EXTRA_OECONF += "--with-system-et --disable-rpath"
CACHED_CONFIGUREVARS += "krb5_cv_attr_constructor_destructor=yes ac_cv_func_regcomp=yes \
ac_cv_printf_positional=yes ac_cv_file__etc_environment=yes \
ac_cv_file__etc_TIMEZONE=no"
CFLAGS:append = " -fPIC -DDESTRUCTOR_ATTR_WORKS=1 -I${STAGING_INCDIR}/et"
CFLAGS:append:riscv64 = " -D_REENTRANT -pthread"
LDFLAGS:append = " -pthread"
do_configure() {
gnu-configize --force
autoreconf
oe_runconf
}
do_install:append() {
rm -rf ${D}/${localstatedir}/run
rm -f ${D}${bindir}/sclient
rm -f ${D}${bindir}/sim_client
rm -f ${D}${bindir}/uuclient
rm -f ${D}${sbindir}/krb5-send-pr
rm -f ${D}${sbindir}/sim_server
rm -f ${D}${sbindir}/sserver
rm -f ${D}${sbindir}/uuserver
if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
mkdir -p ${D}/${sysconfdir}/init.d ${D}/${sysconfdir}/default
install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/${sysconfdir}/init.d
install -m 0644 ${WORKDIR}/etc/default/* ${D}/${sysconfdir}/default
mkdir -p ${D}/${sysconfdir}/default/volatiles
echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \
> ${D}${sysconfdir}/default/volatiles/87_krb5
echo "RUN_KADMIND=true" >> ${D}/${sysconfdir}/default/krb5-admin-server
fi
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/tmpfiles.d
echo "d /run/krb5kdc - - - -" \
> ${D}${sysconfdir}/tmpfiles.d/krb5.conf
mkdir -p ${D}/${sysconfdir}/default
install -m 0644 ${WORKDIR}/etc/default/* ${D}/${sysconfdir}/default
install -d ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/krb5-admin-server.service ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/krb5-kdc.service ${D}${systemd_system_unitdir}
fi
sed -e 's@[^ ]*-ffile-prefix-map=[^ "]*@@g' \
-e 's@[^ ]*-fdebug-prefix-map=[^ "]*@@g' \
-e 's@[^ ]*-fmacro-prefix-map=[^ "]*@@g' \
-i ${D}${bindir}/krb5-config
}
PACKAGE_BEFORE_PN =+ "${PN}-admin-server \
${PN}-gss-samples \
${PN}-k5tls \
${PN}-kdc \
${PN}-kdc-ldap \
${PN}-kpropd \
${PN}-otp \
${PN}-pkinit \
${PN}-spake \
${PN}-user \
libgssapi-krb5 \
libgssrpc \
libk5crypto \
libkadm5clnt-mit \
libkadm5srv-mit \
libkdb5 \
libkrad \
libkrb5 \
libkrb5support \
libverto"
FILES:${PN} = "${libdir}/krb5/plugins/preauth/test.so"
FILES:${PN}-doc += "${datadir}/examples"
FILES:${PN}-dbg += "${libdir}/krb5/plugins/*/.debug"
FILES:${PN}-admin-server = "${sbindir}/kadmin.local \
${sbindir}/kadmind \
${sbindir}/kprop \
${sysconfdir}/default/krb5-admin-server \
${sysconfdir}/init.d/krb5-admin-server \
${systemd_system_unitdir}/krb5-admin-server.service"
FILES:${PN}-gss-samples = "${bindir}/gss-client \
${sbindir}/gss-server"
FILES:${PN}-k5tls = "${libdir}/krb5/plugins/tls/k5tls.so"
FILES:${PN}-kdc = "${libdir}/krb5/plugins/kdb/db2.so \
${localstatedir}/krb5kdc \
${sbindir}/kdb5_util \
${sbindir}/kproplog \
${sbindir}/krb5kdc \
${sysconfdir}/default/krb5-kdc \
${sysconfdir}/default/volatiles/87_krb5 \
${sysconfdir}/init.d/krb5-kdc \
${sysconfdir}/tmpfiles.d/krb5.conf \
${systemd_system_unitdir}/krb5-kdc.service"
FILES:${PN}-kdc-ldap = "${libdir}/krb5/libkdb_ldap${SOLIBS} \
${libdir}/krb5/plugins/kdb/kldap.so \
${sbindir}/kdb5_ldap_util"
FILES:${PN}-kpropd = "${sbindir}/kpropd"
FILES:${PN}-otp = "${libdir}/krb5/plugins/preauth/otp.so"
FILES:${PN}-pkinit = "${libdir}/krb5/plugins/preauth/pkinit.so"
FILES:${PN}-spake = "${libdir}/krb5/plugins/preauth/spake.so"
FILES:${PN}-user = "${bindir}/k*"
FILES:libgssapi-krb5 = "${libdir}/libgssapi_krb5${SOLIBS}"
FILES:libgssrpc = "${libdir}/libgssrpc${SOLIBS}"
FILES:libk5crypto = "${libdir}/libk5crypto${SOLIBS}"
FILES:libkadm5clnt-mit = "${libdir}/libkadm5clnt_mit${SOLIBS}"
FILES:libkadm5srv-mit = "${libdir}/libkadm5srv_mit${SOLIBS}"
FILES:libkdb5 = "${libdir}/libkdb5${SOLIBS}"
FILES:libkrad = "${libdir}/libkrad${SOLIBS}"
FILES:libkrb5 = "${libdir}/libkrb5${SOLIBS} \
${libdir}/krb5/plugins/authdata \
${libdir}/krb5/plugins/libkrb5"
FILES:libkrb5support = "${libdir}/libkrb5support${SOLIBS}"
FILES:libverto = "${libdir}/libverto${SOLIBS}"
RDEPENDS:${PN}-kadmin-server = "${PN}-kdc"
RDEPENDS:${PN}-kpropd = "${PN}-kdc"
INITSCRIPT_PACKAGES = "${PN}-admin-server ${PN}-kdc"
INITSCRIPT_NAME:${PN}-admin-server = "krb5-admin-server"
INITSCRIPT_NAME:${PN}-kdc = "krb5-kdc"
SYSTEMD_PACKAGES = "${PN}-admin-server ${PN}-kdc"
SYSTEMD_SERVICE:${PN}-admin-server = "krb5-admin-server.service"
SYSTEMD_SERVICE:${PN}-kdc = "krb5-kdc.service"
pkg_postinst:${PN}-kdc () {
if [ -z "$D" ]; then
if command -v systemd-tmpfiles >/dev/null; then
systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf
elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
fi
}
BBCLASSEXTEND = "native nativesdk"
inherit multilib_script
MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/krb5-config"