diff options
| author | Alexander Larsson <alexl@redhat.com> | 2016-04-05 19:39:06 +0200 |
|---|---|---|
| committer | Alexander Larsson <alexl@redhat.com> | 2016-04-05 19:39:06 +0200 |
| commit | 3ae26eb3214068b51c8325fdce2d532ede8610bd (patch) | |
| tree | 1cc40b73df3e217a0d3533a60ac572ac79ba014a | |
| parent | 4a66ad8320c59d03dd13d51fd2fd44b5bfafd74d (diff) | |
Update krb5 to 1.13.2
| -rw-r--r-- | meta-freedesktop/recipes-core/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch | 92 | ||||
| -rw-r--r-- | meta-freedesktop/recipes-core/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch | 739 | ||||
| -rw-r--r-- | meta-freedesktop/recipes-core/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch | 134 | ||||
| -rw-r--r-- | meta-freedesktop/recipes-core/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch | 572 | ||||
| -rw-r--r-- | meta-freedesktop/recipes-core/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch | 58 | ||||
| -rw-r--r-- | meta-freedesktop/recipes-core/krb5/krb5_1.13.2.bb (renamed from meta-freedesktop/recipes-core/krb5/krb5_1.12.2.bb) | 34 |
6 files changed, 1532 insertions, 97 deletions
diff --git a/meta-freedesktop/recipes-core/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch b/meta-freedesktop/recipes-core/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch deleted file mode 100644 index 0852661..0000000 --- a/meta-freedesktop/recipes-core/krb5/krb5/0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch +++ /dev/null @@ -1,92 +0,0 @@ -From af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Thu, 21 Aug 2014 13:52:07 -0400 -Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351] - -In kadmind's randkey operation, if a client specifies the keepold -flag, do not include the preserved old keys in the response. - -CVE-2014-5351: - -An authenticated remote attacker can retrieve the current keys for a -service principal when generating a new set of keys for that -principal. The attacker needs to be authenticated as a user who has -the elevated privilege for randomizing the keys of other principals. - -Normally, when a Kerberos administrator randomizes the keys of a -service principal, kadmind returns only the new keys. This prevents -an administrator who lacks legitimate privileged access to a service -from forging tickets to authenticate to that service. If the -"keepold" flag to the kadmin randkey RPC operation is true, kadmind -retains the old keys in the KDC database as intended, but also -unexpectedly returns the old keys to the client, which exposes the -service to ticket forgery attacks from the administrator. - -A mitigating factor is that legitimate clients of the affected service -will start failing to authenticate to the service once they begin to -receive service tickets encrypted in the new keys. The affected -service will be unable to decrypt the newly issued tickets, possibly -alerting the legitimate administrator of the affected service. - -CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C - -[tlyu@mit.edu: CVE description and CVSS score] - -ticket: 8018 (new) -target_version: 1.13 -tags: pullup - -Upstream-Status: Backport ---- - src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++--- - 1 files changed, 18 insertions(+), 3 deletions(-) - -diff --git a/lib/kadm5/srv/svr_principal.c b/lib/kadm5/srv/svr_principal.c -index 5d358bd..d4e74cc 100644 ---- a/lib/kadm5/srv/svr_principal.c -+++ b/lib/kadm5/srv/svr_principal.c -@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask, - *passptr = NULL; - } - -+/* Return the number of keys with the newest kvno. Assumes that all key data -+ * with the newest kvno are at the front of the key data array. */ -+static int -+count_new_keys(int n_key_data, krb5_key_data *key_data) -+{ -+ int n; -+ -+ for (n = 1; n < n_key_data; n++) { -+ if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno) -+ return n; -+ } -+ return n_key_data; -+} -+ - kadm5_ret_t - kadm5_create_principal(void *server_handle, - kadm5_principal_ent_t entry, long mask, -@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle, - osa_princ_ent_rec adb; - krb5_int32 now; - kadm5_policy_ent_rec pol; -- int ret, last_pwd; -+ int ret, last_pwd, n_new_keys; - krb5_boolean have_pol = FALSE; - kadm5_server_handle_t handle = server_handle; - krb5_keyblock *act_mkey; -@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle, - kdb->fail_auth_count = 0; - - if (keyblocks) { -- ret = decrypt_key_data(handle->context, -- kdb->n_key_data, kdb->key_data, -+ /* Return only the new keys added by krb5_dbe_crk. */ -+ n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data); -+ ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data, - keyblocks, n_keys); - if (ret) - goto done; --- -1.7.4.1 - diff --git a/meta-freedesktop/recipes-core/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch b/meta-freedesktop/recipes-core/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch new file mode 100644 index 0000000..b771b41 --- /dev/null +++ b/meta-freedesktop/recipes-core/krb5/krb5/Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch @@ -0,0 +1,739 @@ +From f6e57c402688f4bc386d1a39512657a30f0bafd3 Mon Sep 17 00:00:00 2001 +From: Nicolas Williams <nico@twosigma.com> +Date: Mon, 14 Sep 2015 12:28:36 -0400 +Subject: [PATCH 2/4] Fix IAKERB context aliasing bugs [CVE-2015-2696] + +The IAKERB mechanism currently replaces its context handle with the +krb5 mechanism handle upon establishment, under the assumption that +most GSS functions are only called after context establishment. This +assumption is incorrect, and can lead to aliasing violations for some +programs. Maintain the IAKERB context structure after context +establishment and add new IAKERB entry points to refer to it with that +type. Add initiate and established flags to the IAKERB context +structure for use in gss_inquire_context() prior to context +establishment. + +CVE-2015-2696: + +In MIT krb5 1.9 and later, applications which call +gss_inquire_context() on a partially-established IAKERB context can +cause the GSS-API library to read from a pointer using the wrong type, +generally causing a process crash. Java server applications using the +native JGSS provider are vulnerable to this bug. A carefully crafted +IAKERB packet might allow the gss_inquire_context() call to succeed +with attacker-determined results, but applications should not make +access control decisions based on gss_inquire_context() results prior +to context establishment. + + CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +[ghudson@mit.edu: several bugfixes, style changes, and edge-case +behavior changes; commit message and CVE description] + +ticket: 8244 +target_version: 1.14 +tags: pullup + +Backport upstream commit: +https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a + +Upstream-Status: Backport +--- + src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++ + src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++-- + src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++---- + 3 files changed, 529 insertions(+), 41 deletions(-) + +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index a0e8625..05dc321 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -620,6 +620,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext + ); + #endif /* LEAN_CLIENT */ + ++OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid ++(OM_uint32*, /* minor_status */ ++ const gss_ctx_id_t, ++ /* context_handle */ ++ const gss_OID, /* desired_object */ ++ gss_buffer_set_t* /* data_set */ ++); ++ ++OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option ++(OM_uint32*, /* minor_status */ ++ gss_ctx_id_t*, /* context_handle */ ++ const gss_OID, /* desired_object */ ++ const gss_buffer_t/* value */ ++); ++ + OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token + (OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ +@@ -1301,6 +1316,105 @@ OM_uint32 KRB5_CALLCONV + krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token, + gss_cred_id_t *cred_handle); + ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_process_context_token(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_buffer_t token_buffer); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ OM_uint32 *time_rec); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_context(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_name_t *src_name, ++ gss_name_t *targ_name, OM_uint32 *lifetime_rec, ++ gss_OID *mech_type, OM_uint32 *ctx_flags, ++ int *locally_initiated, int *opened); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_buffer_t message_buffer, ++ gss_buffer_t message_token); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_iov_buffer_desc *iov, ++ int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_qop_t qop_req, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t msg_buffer, gss_buffer_t token_buffer, ++ gss_qop_t *qop_state); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, ++ int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, ++ gss_buffer_t input_message_buffer, int *conf_state, ++ gss_buffer_t output_message_buffer); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_message_buffer, ++ gss_buffer_t output_message_buffer, int *conf_state, ++ gss_qop_t *qop_state); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int *conf_state, gss_qop_t *qop_state, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, OM_uint32 req_output_size, ++ OM_uint32 *max_input_size); ++ ++#ifndef LEAN_CLIENT ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_export_sec_context(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_buffer_t interprocess_token); ++#endif /* LEAN_CLIENT */ ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_OID desired_object, ++ gss_buffer_set_t *data_set); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ const gss_OID desired_object, ++ const gss_buffer_t value); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int prf_key, const gss_buffer_t prf_in, ++ ssize_t desired_output_len, gss_buffer_t prf_out); ++ + /* Magic string to identify exported krb5 GSS credentials. Increment this if + * the format changes. */ + #define CRED_EXPORT_MAGIC "K5C1" +diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c +index 77b7fff..9a23656 100644 +--- a/src/lib/gssapi/krb5/gssapi_krb5.c ++++ b/src/lib/gssapi/krb5/gssapi_krb5.c +@@ -345,7 +345,7 @@ static struct { + } + }; + +-static OM_uint32 KRB5_CALLCONV ++OM_uint32 KRB5_CALLCONV + krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, +@@ -459,7 +459,7 @@ static struct { + }; + #endif + +-static OM_uint32 KRB5_CALLCONV ++OM_uint32 KRB5_CALLCONV + krb5_gss_set_sec_context_option (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID desired_object, +@@ -904,20 +904,103 @@ static struct gss_config krb5_mechanism = { + krb5_gss_get_mic_iov_length, + }; + ++/* Functions which use security contexts or acquire creds are IAKERB-specific; ++ * other functions can borrow from the krb5 mech. */ ++static struct gss_config iakerb_mechanism = { ++ { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, ++ NULL, ++ iakerb_gss_acquire_cred, ++ krb5_gss_release_cred, ++ iakerb_gss_init_sec_context, ++#ifdef LEAN_CLIENT ++ NULL, ++#else ++ iakerb_gss_accept_sec_context, ++#endif ++ iakerb_gss_process_context_token, ++ iakerb_gss_delete_sec_context, ++ iakerb_gss_context_time, ++ iakerb_gss_get_mic, ++ iakerb_gss_verify_mic, ++#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE) ++ NULL, ++#else ++ iakerb_gss_wrap, ++#endif ++#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE) ++ NULL, ++#else ++ iakerb_gss_unwrap, ++#endif ++ krb5_gss_display_status, ++ krb5_gss_indicate_mechs, ++ krb5_gss_compare_name, ++ krb5_gss_display_name, ++ krb5_gss_import_name, ++ krb5_gss_release_name, ++ krb5_gss_inquire_cred, ++ NULL, /* add_cred */ ++#ifdef LEAN_CLIENT ++ NULL, ++ NULL, ++#else ++ iakerb_gss_export_sec_context, ++ NULL, ++#endif ++ krb5_gss_inquire_cred_by_mech, ++ krb5_gss_inquire_names_for_mech, ++ iakerb_gss_inquire_context, ++ krb5_gss_internal_release_oid, ++ iakerb_gss_wrap_size_limit, ++ krb5_gss_localname, ++ krb5_gss_authorize_localname, ++ krb5_gss_export_name, ++ krb5_gss_duplicate_name, ++ krb5_gss_store_cred, ++ iakerb_gss_inquire_sec_context_by_oid, ++ krb5_gss_inquire_cred_by_oid, ++ iakerb_gss_set_sec_context_option, ++ krb5_gssspi_set_cred_option, ++ krb5_gssspi_mech_invoke, ++ NULL, /* wrap_aead */ ++ NULL, /* unwrap_aead */ ++ iakerb_gss_wrap_iov, ++ iakerb_gss_unwrap_iov, ++ iakerb_gss_wrap_iov_length, ++ NULL, /* complete_auth_token */ ++ NULL, /* acquire_cred_impersonate_name */ ++ NULL, /* add_cred_impersonate_name */ ++ NULL, /* display_name_ext */ ++ krb5_gss_inquire_name, ++ krb5_gss_get_name_attribute, ++ krb5_gss_set_name_attribute, ++ krb5_gss_delete_name_attribute, ++ krb5_gss_export_name_composite, ++ krb5_gss_map_name_to_any, ++ krb5_gss_release_any_name_mapping, ++ iakerb_gss_pseudo_random, ++ NULL, /* set_neg_mechs */ ++ krb5_gss_inquire_saslname_for_mech, ++ krb5_gss_inquire_mech_for_saslname, ++ krb5_gss_inquire_attrs_for_mech, ++ krb5_gss_acquire_cred_from, ++ krb5_gss_store_cred_into, ++ iakerb_gss_acquire_cred_with_password, ++ krb5_gss_export_cred, ++ krb5_gss_import_cred, ++ NULL, /* import_sec_context_by_mech */ ++ NULL, /* import_name_by_mech */ ++ NULL, /* import_cred_by_mech */ ++ iakerb_gss_get_mic_iov, ++ iakerb_gss_verify_mic_iov, ++ iakerb_gss_get_mic_iov_length, ++}; ++ + #ifdef _GSS_STATIC_LINK + #include "mglueP.h" + static int gss_iakerbmechglue_init(void) + { + struct gss_mech_config mech_iakerb; +- struct gss_config iakerb_mechanism = krb5_mechanism; +- +- /* IAKERB mechanism mirrors krb5, but with different context SPIs */ +- iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context; +- iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context; +- iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context; +- iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred; +- iakerb_mechanism.gssspi_acquire_cred_with_password +- = iakerb_gss_acquire_cred_with_password; + + memset(&mech_iakerb, 0, sizeof(mech_iakerb)); + mech_iakerb.mech = &iakerb_mechanism; +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index f30de32..4662bd9 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec { + gss_ctx_id_t gssc; + krb5_data conv; /* conversation for checksumming */ + unsigned int count; /* number of round trips */ ++ int initiate; ++ int established; + krb5_get_init_creds_opt *gic_opts; + }; + +@@ -695,7 +697,7 @@ cleanup: + * Allocate and initialise an IAKERB context + */ + static krb5_error_code +-iakerb_alloc_context(iakerb_ctx_id_t *pctx) ++iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate) + { + iakerb_ctx_id_t ctx; + krb5_error_code code; +@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx) + ctx->magic = KG_IAKERB_CONTEXT; + ctx->state = IAKERB_AS_REQ; + ctx->count = 0; ++ ctx->initiate = initiate; ++ ctx->established = 0; + + code = krb5_gss_init_context(&ctx->k5c); + if (code != 0) +@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t output_token) + { +- OM_uint32 major_status = GSS_S_COMPLETE; ++ iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; + + if (output_token != GSS_C_NO_BUFFER) { + output_token->length = 0; +@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, + } + + *minor_status = 0; ++ *context_handle = GSS_C_NO_CONTEXT; ++ iakerb_release_context(iakerb_ctx); + +- if (*context_handle != GSS_C_NO_CONTEXT) { +- iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; +- +- if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) { +- iakerb_release_context(iakerb_ctx); +- *context_handle = GSS_C_NO_CONTEXT; +- } else { +- assert(iakerb_ctx->magic == KG_CONTEXT); +- +- major_status = krb5_gss_delete_sec_context(minor_status, +- context_handle, +- output_token); +- } +- } +- +- return major_status; ++ return GSS_S_COMPLETE; + } + + static krb5_boolean +@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, + int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); + + if (initialContextToken) { +- code = iakerb_alloc_context(&ctx); ++ code = iakerb_alloc_context(&ctx, 0); + if (code != 0) + goto cleanup; + +@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, + time_rec, + delegated_cred_handle, + &exts); +- if (major_status == GSS_S_COMPLETE) { +- *context_handle = ctx->gssc; +- ctx->gssc = NULL; +- iakerb_release_context(ctx); +- } ++ if (major_status == GSS_S_COMPLETE) ++ ctx->established = 1; + if (mech_type != NULL) + *mech_type = (gss_OID)gss_mech_krb5; + } +@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, + int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); + + if (initialContextToken) { +- code = iakerb_alloc_context(&ctx); ++ code = iakerb_alloc_context(&ctx, 1); + if (code != 0) { + *minor_status = code; + goto cleanup; +@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, + ret_flags, + time_rec, + &exts); +- if (major_status == GSS_S_COMPLETE) { +- *context_handle = ctx->gssc; +- ctx->gssc = GSS_C_NO_CONTEXT; +- iakerb_release_context(ctx); +- } ++ if (major_status == GSS_S_COMPLETE) ++ ctx->established = 1; + if (actual_mech_type != NULL) + *actual_mech_type = (gss_OID)gss_mech_krb5; + } else { +@@ -1010,3 +995,309 @@ cleanup: + + return major_status; + } ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_message_buffer, ++ gss_buffer_t output_message_buffer, int *conf_state, ++ gss_qop_t *qop_state) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer, ++ output_message_buffer, conf_state, qop_state); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, ++ gss_buffer_t input_message_buffer, int *conf_state, ++ gss_buffer_t output_message_buffer) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req, ++ input_message_buffer, conf_state, ++ output_message_buffer); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_process_context_token(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_buffer_t token_buffer) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_DEFECTIVE_TOKEN; ++ ++ return krb5_gss_process_context_token(minor_status, ctx->gssc, ++ token_buffer); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ OM_uint32 *time_rec) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_context_time(minor_status, ctx->gssc, time_rec); ++} ++ ++#ifndef LEAN_CLIENT ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_export_sec_context(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_buffer_t interprocess_token) ++{ ++ OM_uint32 maj; ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ /* We don't currently support exporting partially established contexts. */ ++ if (!ctx->established) ++ return GSS_S_UNAVAILABLE; ++ ++ maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc, ++ interprocess_token); ++ if (ctx->gssc == GSS_C_NO_CONTEXT) { ++ iakerb_release_context(ctx); ++ *context_handle = GSS_C_NO_CONTEXT; ++ } ++ return maj; ++} ++ ++/* ++ * Until we implement partial context exports, there are no SPNEGO exported ++ * context tokens, only tokens for the underlying krb5 context. So we do not ++ * need to implement an iakerb_gss_import_sec_context() yet; it would be ++ * unreachable except via a manually constructed token. ++ */ ++ ++#endif /* LEAN_CLIENT */ ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_context(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_name_t *src_name, ++ gss_name_t *targ_name, OM_uint32 *lifetime_rec, ++ gss_OID *mech_type, OM_uint32 *ctx_flags, ++ int *initiate, int *opened) ++{ ++ OM_uint32 ret; ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (src_name != NULL) ++ *src_name = GSS_C_NO_NAME; ++ if (targ_name != NULL) ++ *targ_name = GSS_C_NO_NAME; ++ if (lifetime_rec != NULL) ++ *lifetime_rec = 0; ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_iakerb; ++ if (ctx_flags != NULL) ++ *ctx_flags = 0; ++ if (initiate != NULL) ++ *initiate = ctx->initiate; ++ if (opened != NULL) ++ *opened = ctx->established; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_COMPLETE; ++ ++ ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name, ++ targ_name, lifetime_rec, mech_type, ++ ctx_flags, initiate, opened); ++ ++ if (!ctx->established) { ++ /* Report IAKERB as the mech OID until the context is established. */ ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_iakerb; ++ ++ /* We don't support exporting partially-established contexts. */ ++ if (ctx_flags != NULL) ++ *ctx_flags &= ~GSS_C_TRANS_FLAG; ++ } ++ ++ return ret; ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, OM_uint32 req_output_size, ++ OM_uint32 *max_input_size) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag, ++ qop_req, req_output_size, max_input_size); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_buffer_t message_buffer, ++ gss_buffer_t message_token) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer, ++ message_token); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t msg_buffer, gss_buffer_t token_buffer, ++ gss_qop_t *qop_state) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer, ++ token_buffer, qop_state); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_OID desired_object, ++ gss_buffer_set_t *data_set) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_UNAVAILABLE; ++ ++ return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc, ++ desired_object, data_set); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ const gss_OID desired_object, ++ const gss_buffer_t value) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; ++ ++ if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_UNAVAILABLE; ++ ++ return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc, ++ desired_object, value); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req, ++ conf_state, iov, iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int *conf_state, gss_qop_t *qop_state, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state, ++ iov, iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag, ++ qop_req, conf_state, iov, iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int prf_key, const gss_buffer_t prf_in, ++ ssize_t desired_output_len, gss_buffer_t prf_out) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in, ++ desired_output_len, prf_out); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_iov_buffer_desc *iov, ++ int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov, ++ iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, ++ int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov, ++ iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_qop_t qop_req, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov, ++ iov_count); ++} +-- +1.9.1 + diff --git a/meta-freedesktop/recipes-core/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch b/meta-freedesktop/recipes-core/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch new file mode 100644 index 0000000..2f45d30 --- /dev/null +++ b/meta-freedesktop/recipes-core/krb5/krb5/Fix-IAKERB-context-export-import-CVE-2015-2698.patch @@ -0,0 +1,134 @@ +From aa769c8c6905d1abfac66d4d1b0fc73740ccbe7d Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Sat, 14 Nov 2015 02:47:04 -0500 +Subject: [PATCH 4/4] Fix IAKERB context export/import [CVE-2015-2698] + +The patches for CVE-2015-2696 contained a regression in the newly +added IAKERB iakerb_gss_export_sec_context() function, which could +cause it to corrupt memory. Fix the regression by properly +dereferencing the context_handle pointer before casting it. + +Also, the patches did not implement an IAKERB gss_import_sec_context() +function, under the erroneous belief that an exported IAKERB context +would be tagged as a krb5 context. Implement it now to allow IAKERB +contexts to be successfully exported and imported after establishment. + +CVE-2015-2698: + +In any MIT krb5 release with the patches for CVE-2015-2696 applied, an +application which calls gss_export_sec_context() may experience memory +corruption if the context was established using the IAKERB mechanism. +Historically, some vulnerabilities of this nature can be translated +into remote code execution, though the necessary exploits must be +tailored to the individual application and are usually quite +complicated. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C + +ticket: 8273 (new) +target_version: 1.14 +tags: pullup + +Backport upstream commit: +https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd + +Upstream-Status: Backport +--- + src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++ + src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- + src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++------- + 3 files changed, 41 insertions(+), 8 deletions(-) + +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index 05dc321..ac53662 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV + iakerb_gss_export_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t interprocess_token); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_import_sec_context(OM_uint32 *minor_status, ++ const gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle); + #endif /* LEAN_CLIENT */ + + OM_uint32 KRB5_CALLCONV +diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c +index 9a23656..d7ba279 100644 +--- a/src/lib/gssapi/krb5/gssapi_krb5.c ++++ b/src/lib/gssapi/krb5/gssapi_krb5.c +@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = { + NULL, + #else + iakerb_gss_export_sec_context, +- NULL, ++ iakerb_gss_import_sec_context, + #endif + krb5_gss_inquire_cred_by_mech, + krb5_gss_inquire_names_for_mech, +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index 4662bd9..48beaee 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -1061,7 +1061,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, + gss_buffer_t interprocess_token) + { + OM_uint32 maj; +- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; + + /* We don't currently support exporting partially established contexts. */ + if (!ctx->established) +@@ -1076,13 +1076,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, + return maj; + } + +-/* +- * Until we implement partial context exports, there are no SPNEGO exported +- * context tokens, only tokens for the underlying krb5 context. So we do not +- * need to implement an iakerb_gss_import_sec_context() yet; it would be +- * unreachable except via a manually constructed token. +- */ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_import_sec_context(OM_uint32 *minor_status, ++ gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle) ++{ ++ OM_uint32 maj, tmpmin; ++ krb5_error_code code; ++ gss_ctx_id_t gssc; ++ krb5_gss_ctx_id_t kctx; ++ iakerb_ctx_id_t ctx; ++ ++ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc); ++ if (maj != GSS_S_COMPLETE) ++ return maj; ++ kctx = (krb5_gss_ctx_id_t)gssc; ++ ++ if (!kctx->established) { ++ /* We don't currently support importing partially established ++ * contexts. */ ++ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); ++ return GSS_S_FAILURE; ++ } + ++ code = iakerb_alloc_context(&ctx, kctx->initiate); ++ if (code != 0) { ++ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); ++ *minor_status = code; ++ return GSS_S_FAILURE; ++ } ++ ++ ctx->gssc = gssc; ++ ctx->established = 1; ++ *context_handle = (gss_ctx_id_t)ctx; ++ return GSS_S_COMPLETE; ++} + #endif /* LEAN_CLIENT */ + + OM_uint32 KRB5_CALLCONV +-- +1.9.1 + diff --git a/meta-freedesktop/recipes-core/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch b/meta-freedesktop/recipes-core/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch new file mode 100644 index 0000000..227e6c6 --- /dev/null +++ b/meta-freedesktop/recipes-core/krb5/krb5/Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch @@ -0,0 +1,572 @@ +From 884913e807414a1e06245918dea71243c5fdd0e6 Mon Sep 17 00:00:00 2001 +From: Nicolas Williams <nico@twosigma.com> +Date: Mon, 14 Sep 2015 12:27:52 -0400 +Subject: [PATCH 1/4] Fix SPNEGO context aliasing bugs [CVE-2015-2695] + +The SPNEGO mechanism currently replaces its context handle with the +mechanism context handle upon establishment, under the assumption that +most GSS functions are only called after context establishment. This +assumption is incorrect, and can lead to aliasing violations for some +programs. Maintain the SPNEGO context structure after context +establishment and refer to it in all GSS methods. Add initiate and +opened flags to the SPNEGO context structure for use in +gss_inquire_context() prior to context establishment. + +CVE-2015-2695: + +In MIT krb5 1.5 and later, applications which call +gss_inquire_context() on a partially-established SPNEGO context can +cause the GSS-API library to read from a pointer using the wrong type, +generally causing a process crash. This bug may go unnoticed, because +the most common SPNEGO authentication scenario establishes the context +after just one call to gss_accept_sec_context(). Java server +applications using the native JGSS provider are vulnerable to this +bug. A carefully crafted SPNEGO packet might allow the +gss_inquire_context() call to succeed with attacker-determined +results, but applications should not make access control decisions +based on gss_inquire_context() results prior to context establishment. + + CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +[ghudson@mit.edu: several bugfixes, style changes, and edge-case +behavior changes; commit message and CVE description] + +ticket: 8244 +target_version: 1.14 +tags: pullup + +Backport upstream commit: +https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d + +Upstream-Status: Backport +--- + src/lib/gssapi/spnego/gssapiP_spnego.h | 2 + + src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++--------- + 2 files changed, 192 insertions(+), 64 deletions(-) + +diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h +index bc23f56..8e05736 100644 +--- a/src/lib/gssapi/spnego/gssapiP_spnego.h ++++ b/src/lib/gssapi/spnego/gssapiP_spnego.h +@@ -102,6 +102,8 @@ typedef struct { + int firstpass; + int mech_complete; + int nego_done; ++ int initiate; ++ int opened; + OM_uint32 ctx_flags; + gss_name_t internal_name; + gss_OID actual_mech; +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index f9248ab..3423f22 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -101,7 +101,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t, + gss_cred_usage_t, gss_OID_set *); + static void release_spnego_ctx(spnego_gss_ctx_id_t *); + static void check_spnego_options(spnego_gss_ctx_id_t); +-static spnego_gss_ctx_id_t create_spnego_ctx(void); ++static spnego_gss_ctx_id_t create_spnego_ctx(int); + static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf); + static int put_input_token(unsigned char **, gss_buffer_t, unsigned int); + static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int); +@@ -439,7 +439,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx) + } + + static spnego_gss_ctx_id_t +-create_spnego_ctx(void) ++create_spnego_ctx(int initiate) + { + spnego_gss_ctx_id_t spnego_ctx = NULL; + spnego_ctx = (spnego_gss_ctx_id_t) +@@ -462,6 +462,8 @@ create_spnego_ctx(void) + spnego_ctx->mic_rcvd = 0; + spnego_ctx->mech_complete = 0; + spnego_ctx->nego_done = 0; ++ spnego_ctx->opened = 0; ++ spnego_ctx->initiate = initiate; + spnego_ctx->internal_name = GSS_C_NO_NAME; + spnego_ctx->actual_mech = GSS_C_NO_OID; + +@@ -627,7 +629,7 @@ init_ctx_new(OM_uint32 *minor_status, + OM_uint32 ret; + spnego_gss_ctx_id_t sc = NULL; + +- sc = create_spnego_ctx(); ++ sc = create_spnego_ctx(1); + if (sc == NULL) + return GSS_S_FAILURE; + +@@ -644,10 +646,7 @@ init_ctx_new(OM_uint32 *minor_status, + ret = GSS_S_FAILURE; + goto cleanup; + } +- /* +- * The actual context is not yet determined, set the output +- * context handle to refer to the spnego context itself. +- */ ++ + sc->ctx_handle = GSS_C_NO_CONTEXT; + *ctx = (gss_ctx_id_t)sc; + sc = NULL; +@@ -1088,16 +1087,11 @@ cleanup: + } + gss_release_buffer(&tmpmin, &mechtok_out); + if (ret == GSS_S_COMPLETE) { +- /* +- * Now, switch the output context to refer to the +- * negotiated mechanism's context. +- */ +- *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle; ++ spnego_ctx->opened = 1; + if (actual_mech != NULL) + *actual_mech = spnego_ctx->actual_mech; + if (ret_flags != NULL) + *ret_flags = spnego_ctx->ctx_flags; +- release_spnego_ctx(&spnego_ctx); + } else if (ret != GSS_S_CONTINUE_NEEDED) { + if (spnego_ctx != NULL) { + gss_delete_sec_context(&tmpmin, +@@ -1341,7 +1335,7 @@ acc_ctx_hints(OM_uint32 *minor_status, + if (ret != GSS_S_COMPLETE) + goto cleanup; + +- sc = create_spnego_ctx(); ++ sc = create_spnego_ctx(0); + if (sc == NULL) { + ret = GSS_S_FAILURE; + goto cleanup; +@@ -1423,7 +1417,7 @@ acc_ctx_new(OM_uint32 *minor_status, + gss_release_buffer(&tmpmin, &sc->DER_mechTypes); + assert(mech_wanted != GSS_C_NO_OID); + } else +- sc = create_spnego_ctx(); ++ sc = create_spnego_ctx(0); + if (sc == NULL) { + ret = GSS_S_FAILURE; + *return_token = NO_TOKEN_SEND; +@@ -1806,13 +1800,12 @@ cleanup: + ret = GSS_S_FAILURE; + } + if (ret == GSS_S_COMPLETE) { +- *context_handle = (gss_ctx_id_t)sc->ctx_handle; ++ sc->opened = 1; + if (sc->internal_name != GSS_C_NO_NAME && + src_name != NULL) { + *src_name = sc->internal_name; + sc->internal_name = GSS_C_NO_NAME; + } +- release_spnego_ctx(&sc); + } else if (ret != GSS_S_CONTINUE_NEEDED) { + if (sc != NULL) { + gss_delete_sec_context(&tmpmin, &sc->ctx_handle, +@@ -2125,8 +2118,13 @@ spnego_gss_unwrap( + gss_qop_t *qop_state) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_unwrap(minor_status, +- context_handle, ++ sc->ctx_handle, + input_message_buffer, + output_message_buffer, + conf_state, +@@ -2146,8 +2144,13 @@ spnego_gss_wrap( + gss_buffer_t output_message_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + input_message_buffer, +@@ -2164,8 +2167,14 @@ spnego_gss_process_context_token( + const gss_buffer_t token_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ /* SPNEGO doesn't have its own context tokens. */ ++ if (!sc->opened) ++ return (GSS_S_DEFECTIVE_TOKEN); ++ + ret = gss_process_context_token(minor_status, +- context_handle, ++ sc->ctx_handle, + token_buffer); + + return (ret); +@@ -2189,19 +2198,9 @@ spnego_gss_delete_sec_context( + if (*ctx == NULL) + return (GSS_S_COMPLETE); + +- /* +- * If this is still an SPNEGO mech, release it locally. +- */ +- if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) { +- (void) gss_delete_sec_context(minor_status, +- &(*ctx)->ctx_handle, +- output_token); +- (void) release_spnego_ctx(ctx); +- } else { +- ret = gss_delete_sec_context(minor_status, +- context_handle, +- output_token); +- } ++ (void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle, ++ output_token); ++ (void) release_spnego_ctx(ctx); + + return (ret); + } +@@ -2213,8 +2212,13 @@ spnego_gss_context_time( + OM_uint32 *time_rec) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_context_time(minor_status, +- context_handle, ++ sc->ctx_handle, + time_rec); + return (ret); + } +@@ -2226,9 +2230,20 @@ spnego_gss_export_sec_context( + gss_buffer_t interprocess_token) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle; ++ ++ /* We don't currently support exporting partially established ++ * contexts. */ ++ if (!sc->opened) ++ return GSS_S_UNAVAILABLE; ++ + ret = gss_export_sec_context(minor_status, +- context_handle, ++ &sc->ctx_handle, + interprocess_token); ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) { ++ release_spnego_ctx(&sc); ++ *context_handle = GSS_C_NO_CONTEXT; ++ } + return (ret); + } + +@@ -2238,11 +2253,12 @@ spnego_gss_import_sec_context( + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle) + { +- OM_uint32 ret; +- ret = gss_import_sec_context(minor_status, +- interprocess_token, +- context_handle); +- return (ret); ++ /* ++ * Until we implement partial context exports, there are no SPNEGO ++ * exported context tokens, only tokens for underlying mechs. So just ++ * return an error for now. ++ */ ++ return GSS_S_UNAVAILABLE; + } + #endif /* LEAN_CLIENT */ + +@@ -2259,16 +2275,48 @@ spnego_gss_inquire_context( + int *opened) + { + OM_uint32 ret = GSS_S_COMPLETE; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (src_name != NULL) ++ *src_name = GSS_C_NO_NAME; ++ if (targ_name != NULL) ++ *targ_name = GSS_C_NO_NAME; ++ if (lifetime_rec != NULL) ++ *lifetime_rec = 0; ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_spnego; ++ if (ctx_flags != NULL) ++ *ctx_flags = 0; ++ if (locally_initiated != NULL) ++ *locally_initiated = sc->initiate; ++ if (opened != NULL) ++ *opened = sc->opened; ++ ++ if (sc->ctx_handle != GSS_C_NO_CONTEXT) { ++ ret = gss_inquire_context(minor_status, sc->ctx_handle, ++ src_name, targ_name, lifetime_rec, ++ mech_type, ctx_flags, NULL, NULL); ++ } + +- ret = gss_inquire_context(minor_status, +- context_handle, +- src_name, +- targ_name, +- lifetime_rec, +- mech_type, +- ctx_flags, +- locally_initiated, +- opened); ++ if (!sc->opened) { ++ /* ++ * We are still doing SPNEGO negotiation, so report SPNEGO as ++ * the OID. After negotiation is complete we will report the ++ * underlying mechanism OID. ++ */ ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_spnego; ++ ++ /* ++ * Remove flags we don't support with partially-established ++ * contexts. (Change this to keep GSS_C_TRANS_FLAG if we add ++ * support for exporting partial SPNEGO contexts.) ++ */ ++ if (ctx_flags != NULL) { ++ *ctx_flags &= ~GSS_C_PROT_READY_FLAG; ++ *ctx_flags &= ~GSS_C_TRANS_FLAG; ++ } ++ } + + return (ret); + } +@@ -2283,8 +2331,13 @@ spnego_gss_wrap_size_limit( + OM_uint32 *max_input_size) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_size_limit(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + req_output_size, +@@ -2301,8 +2354,13 @@ spnego_gss_get_mic( + gss_buffer_t message_token) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_get_mic(minor_status, +- context_handle, ++ sc->ctx_handle, + qop_req, + message_buffer, + message_token); +@@ -2318,8 +2376,13 @@ spnego_gss_verify_mic( + gss_qop_t *qop_state) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_verify_mic(minor_status, +- context_handle, ++ sc->ctx_handle, + msg_buffer, + token_buffer, + qop_state); +@@ -2334,8 +2397,14 @@ spnego_gss_inquire_sec_context_by_oid( + gss_buffer_set_t *data_set) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ /* There are no SPNEGO-specific OIDs for this function. */ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_UNAVAILABLE); ++ + ret = gss_inquire_sec_context_by_oid(minor_status, +- context_handle, ++ sc->ctx_handle, + desired_object, + data_set); + return (ret); +@@ -2404,8 +2473,15 @@ spnego_gss_set_sec_context_option( + const gss_buffer_t value) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle; ++ ++ /* There are no SPNEGO-specific OIDs for this function, and we cannot ++ * construct an empty SPNEGO context with it. */ ++ if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_UNAVAILABLE); ++ + ret = gss_set_sec_context_option(minor_status, +- context_handle, ++ &sc->ctx_handle, + desired_object, + value); + return (ret); +@@ -2422,8 +2498,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status, + gss_buffer_t output_message_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_aead(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + input_assoc_buffer, +@@ -2444,8 +2525,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status, + gss_qop_t *qop_state) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_unwrap_aead(minor_status, +- context_handle, ++ sc->ctx_handle, + input_message_buffer, + input_assoc_buffer, + output_payload_buffer, +@@ -2464,8 +2550,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status, + int iov_count) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_iov(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + conf_state, +@@ -2483,8 +2574,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status, + int iov_count) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_unwrap_iov(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_state, + qop_state, + iov, +@@ -2502,8 +2598,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status, + int iov_count) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_iov_length(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + conf_state, +@@ -2520,8 +2621,13 @@ spnego_gss_complete_auth_token( + gss_buffer_t input_message_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_UNAVAILABLE); ++ + ret = gss_complete_auth_token(minor_status, +- context_handle, ++ sc->ctx_handle, + input_message_buffer); + return (ret); + } +@@ -2773,8 +2879,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status, + gss_buffer_t prf_out) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_pseudo_random(minor_status, +- context, ++ sc->ctx_handle, + prf_key, + prf_in, + desired_output_len, +@@ -2915,7 +3026,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t qop_req, gss_iov_buffer_desc *iov, + int iov_count) + { +- return gss_get_mic_iov(minor_status, context_handle, qop_req, iov, ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ ++ return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov, + iov_count); + } + +@@ -2924,7 +3040,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t *qop_state, gss_iov_buffer_desc *iov, + int iov_count) + { +- return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov, ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ ++ return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov, + iov_count); + } + +@@ -2933,7 +3054,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, gss_qop_t qop_req, + gss_iov_buffer_desc *iov, int iov_count) + { +- return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov, ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ ++ return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov, + iov_count); + } + +-- +1.9.1 + diff --git a/meta-freedesktop/recipes-core/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch b/meta-freedesktop/recipes-core/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch new file mode 100644 index 0000000..9b0c18b --- /dev/null +++ b/meta-freedesktop/recipes-core/krb5/krb5/Fix-build_principal-memory-bug-CVE-2015-2697.patch @@ -0,0 +1,58 @@ +From 9cb63711e63042f22da914ba039c4537b22e8fb0 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 25 Sep 2015 12:51:47 -0400 +Subject: [PATCH 3/4] Fix build_principal memory bug [CVE-2015-2697] + +In build_principal_va(), use k5memdup0() instead of strdup() to make a +copy of the realm, to ensure that we allocate the correct number of +bytes and do not read past the end of the input string. This bug +affects krb5_build_principal(), krb5_build_principal_va(), and +krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not +affected. + +CVE-2015-2697: + +In MIT krb5 1.7 and later, an authenticated attacker may be able to +cause a KDC to crash using a TGS request with a large realm field +beginning with a null byte. If the KDC attempts to find a referral to +answer the request, it constructs a principal name for lookup using +krb5_build_principal() with the requested realm. Due to a bug in this +function, the null byte causes only one byte be allocated for the +realm field of the constructed principal, far less than its length. +Subsequent operations on the lookup principal may cause a read beyond +the end of the mapped memory region, causing the KDC process to crash. + +CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +ticket: 8252 (new) +target_version: 1.14 +tags: pullup + +Backport upstream commit: +https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789 + +Upstream-Status: Backport +--- + src/lib/krb5/krb/bld_princ.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c +index ab6fed8..8604268 100644 +--- a/src/lib/krb5/krb/bld_princ.c ++++ b/src/lib/krb5/krb/bld_princ.c +@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ, + data = malloc(size * sizeof(krb5_data)); + if (!data) { retval = ENOMEM; } + +- if (!retval) { +- r = strdup(realm); +- if (!r) { retval = ENOMEM; } +- } ++ if (!retval) ++ r = k5memdup0(realm, rlen, &retval); + + while (!retval && (component = va_arg(ap, char *))) { + if (count == size) { +-- +1.9.1 + diff --git a/meta-freedesktop/recipes-core/krb5/krb5_1.12.2.bb b/meta-freedesktop/recipes-core/krb5/krb5_1.13.2.bb index c492496..65013b5 100644 --- a/meta-freedesktop/recipes-core/krb5/krb5_1.12.2.bb +++ b/meta-freedesktop/recipes-core/krb5/krb5_1.13.2.bb @@ -14,7 +14,7 @@ DESCRIPTION = "Kerberos is a system for authenticating users and services on a n HOMEPAGE = "http://web.mit.edu/Kerberos/" SECTION = "console/network" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=450c80c6258ce03387bd09df37638ebc" +LIC_FILES_CHKSUM = "file://${S}/../NOTICE;md5=f64248328d2d9928e1f04158b5243e7f" DEPENDS = "ncurses util-linux e2fsprogs e2fsprogs-native" inherit autotools-brokensep binconfig perlnative @@ -22,18 +22,21 @@ inherit autotools-brokensep binconfig perlnative SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar \ file://0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch \ - file://0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch \ file://debian-suppress-usr-lib-in-krb5-config.patch;striplevel=2 \ + file://Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch;striplevel=2 \ + file://Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch;striplevel=2 \ + file://Fix-build_principal-memory-bug-CVE-2015-2697.patch;striplevel=2 \ + file://Fix-IAKERB-context-export-import-CVE-2015-2698.patch;striplevel=2 \ file://crosscompile_nm.patch \ file://etc/init.d/krb5-kdc \ file://etc/init.d/krb5-admin-server \ file://etc/default/krb5-kdc \ file://etc/default/krb5-admin-server \ " -SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe" -SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744" +SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189" +SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1" -S = "${WORKDIR}/${BP}/src/" +S = "${WORKDIR}/${BP}/src" PACKAGECONFIG ??= "openssl" PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" @@ -77,4 +80,25 @@ do_install_append() { mkdir -p ${D}/etc/init.d ${D}/etc/default install -m 0755 ${WORKDIR}/etc/init.d/* ${D}/etc/init.d install -m 0644 ${WORKDIR}/etc/default/* ${D}/etc/default + + rm -rf ${D}/var/run + mkdir -p ${D}/etc/default/volatiles + echo "d root root 0755 ${localstatedir}/run/krb5kdc none" \ + > ${D}${sysconfdir}/default/volatiles/87_krb5 + if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /run/krb5kdc - - - -" \ + > ${D}${sysconfdir}/tmpfiles.d/krb5.conf + fi + +} + +pkg_postinst_${PN} () { + if [ -z "$D" ]; then + if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/krb5.conf + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + fi } |