diff options
| author | jakllsch <jakllsch> | 2013-09-17 01:04:12 +0000 |
|---|---|---|
| committer | jakllsch <jakllsch> | 2013-09-17 01:04:12 +0000 |
| commit | 4e8140c24a91c7393114b62b1b23d99dc3627ac3 (patch) | |
| tree | 2687ca1068448789a53659c25dba03b5ad8be028 /filesystems/openafs | |
| parent | 658b991f5cdb807e8aad6d2e1351521debf3ee80 (diff) | |
| download | pkgsrc-4e8140c24a91c7393114b62b1b23d99dc3627ac3.tar.gz | |
Update openafs to 1.6.5
Changes since 1.6.2:
OpenAFS 1.6.5
commit 5f5b02a57102af1a85fb9bdaaec31b6094d0c9c4
Author: Michael Meffie <mmeffie@sinenomine.net>
Date: Wed Jul 17 23:10:42 2013 +0100
ubik: Fix encryption selection in ugen
Make sure that we encrypt when requested to by the application
Change-Id: If4c2ba2257bf060d3e9169ccdbcae54f54dfe5d7
commit 0e41558190a5190dee3037c08e8df31e61e5134e
Author: Simon Wilkinson <sxw@your-file-system.com>
Date: Tue Jul 16 19:37:00 2013 +0100
Make OpenAFS 1.6.5
Change-Id: I693297ef6e20358966930cb29116d45b9151811f
commit 9e1c24a583634e6102091388dedc47745efce78a
Author: Ben Kaduk <kaduk@mit.edu>
Date: Sat Jul 13 10:49:27 2013 +0100
Add support for deriving DES keys to klog.krb5
(cherry picked from commit e79102e7918ce5196e870a806879135743ec3abb)
Change-Id: Ia7ebfdd10dcfd6cd164b10275016147630748bac
commit 4b7553600a7659d117df0bde7b1c1dfde031deb8
Author: Andrew Deason <adeason@sinenomine.net>
Date: Wed Jul 10 12:52:28 2013 -0500
Reload rxkad.keytab on CellServDB modification
Make the reloading of rxkad.keytab keys occur in the same way that
KeyFile keys are reloaded. That is, we only try to reload them if the
CellServDB mtime has changed. This is intended to have exactly the
same reloading behavior as KeyFile reloads.
I would have triggered this from afsconf_Check, but that approach
has annoyances. (Calling ticket5_keytab functions directly from
cellconfig pulls in libkrb5 dependencies for everything that uses
cellconfig, and we'd have to trigger an afsconf_Check call by calling
some other cellconfig function.)
9102f49a3bdc67ed74e254349eb55b529472f45c
commit d2024c158e3a879305ff17cf726d3958f20677f4
Author: Andrew Deason <adeason@sinenomine.net>
Date: Mon Jun 10 17:49:12 2013 -0500
Avoid calling afsconf_GetLatestKey directly
Don't call afsconf_GetLatestKey to determine whether we can print our
own local tokens, since we may have keytab 'local' keys, but no DES
keys. Just try to construct them and see if it fails, using
afsconf_PickClientSecObj or afsconf_ClientAuth{,Secure} as
appropriate.
commit d4788f6e283b79a1b974dda1e8fae213efd34930
Author: Andrew Deason <adeason@sinenomine.net>
Date: Mon Jun 10 17:15:27 2013 -0500
auth: Do not always fallback to noauth
Make afsconf_PickClientSecObj error out if we can't construct
localauth tokens (unless the caller explicitly requested rxnull
fallback). afsconf_ClientAuth{,Secure} still falls back, as always.
commit 95d57c74476c5a02ce6d9ca913dcbf88ac5c1143
Author: Ben Kaduk <kaduk@mit.edu>
Date: Tue May 14 19:37:59 2013 -0400
Clean up akimpersonate and use for server-to-server
Since a6d7cacfd, aklog has been able to print a krb5 ticket to
itself for an arbitrary client principal, allowing a user with
access to the cell's krb5 key to get tokens as an arbitrary user.
Now that it is possible to use native krb5 tickets with non-DES
enctypes for authentication, and akimpersonate is available from libauth,
use printed native krb5 tickets for server-to-server communication (as well
as the -localauth versions of the client utilities).
Remove the early call to afsconf_GetLatestKey() in
afsconf_PickClientSecObj() so that we do not end up picking an old DES
key before we try to find a better key to use.
Before doing so, refactor the akimpersonate code to be more usable
and readable, and eliminate some dead code. For example, we always printed
addressless tickets, so that code could be removed. Other code had excessive
stack usage for a library routine, which is eliminated. Use a start time
of 0 instead of 300 so that the printed ticket will always be
detected as infinite-lifetime.
In order to ensure usability on all platforms (in particular Solaris),
provide a couple more compat shims to implement routines which are not
always available from the krb5 library, in particular encode_krb5_ticket
and encode_krb5_enc_tkt_part. Thanks to Andrew Deason for implementing
these compatability routines.
UKERNEL doesn't need this stuff.
commit 15b77552b22e3ff3e7478008673775a45047f600
Author: Alexander Chernyakhovsky <achernya@mit.edu>
Date: Tue May 14 18:12:08 2013 -0400
Move akimpersonate to libauth
Give it its own source file and header, install the header at
depinstall time, and have aklog get the akimpersonate functionality
from libauth.
Keep the linux box copyright from aklog_main.c (but strip the trailing
whitespace), as that block was added with the akimpersonate code.
Remove all calls to afs_com_err() as is fitting for library code,
to let it build. Do not bother removing curly braces which are
no longer needed; a future cleanup commit will catch that.
commit 1c7fa1405940a136a992d65023cc690b1111ab3e
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sun Mar 17 21:58:47 2013 -0400
Derive DES/fcrypt session key from other key types
If a kerberos 5 ticket has a session key with a non-DES enctype,
use the NIST SP800-108 KDF in counter mode with HMAC_MD5 as the PRF to
construct a DES key to be used by rxkad.
To satisfy the requirements of the KDF, DES3 keys are first compressed into a
168 bit form by reversing the RFC3961 random-to-key algorithm
Change-Id: I4dc8e83a641f9892b31c109fb9025251de3dcb27
commit 33eecea7db14d06c59e1081b970d4caf0af773ca
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sun Feb 10 13:27:03 2013 -0500
Integrate keytab-based decryption into afsconf_BuildServerSecurityObjects
Now all servers can have it.
authcon.o grows a krb5 dependency and needs to get KRB5_CPPFLAGS.
Change-Id: I95fecb3f88c19b3d5193ea8200fa20c86ec08ad7
commit 14db1a40e5be3b7325951d002885bbf288d570c1
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sat Feb 9 12:42:20 2013 -0500
New optional rxkad functionality for decypting krb5 tokens
An additional, optional mechanism for decrypting krb5-format tokens
is provided that uses the krb5 api with a key from a keytab
instead of using libdes and the AFS KeyFile.
The AIX compat stub for krb5_c_decrypt is contributed by Andrew Deason.
Change-Id: I97c08122c60482b84d602d6fa6482f1d5deef142
commit 5e0cbc930508a697331bad07cc201c1e1985ff84
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sat Feb 9 12:01:37 2013 -0500
Add rxkad server hook function to decrypt more types of tokens
Allow tokens to be encrypted with algorithms other than DES.
The security object owner must provide an implementation
by calling rxkad_SetAltDecryptProc.
Make sure plainsiz is initialized before calling the alternate decrypt
proc.
User-Visible OpenAFS Changes
OpenAFS 1.6.4
All platforms
* Obey the jumbo/nojumbo settings for ubik servers (the DB servers)
too. In previous releases, those servers may have used jumbograms
even if they were not configured to do so. This change corrects
the actual behaviour, and will improve performance and reliability
for sites where jumbograms are problematic. It could cause a decrease
in performance for sites where jumbograms work, but those can turn
them back on manually.
* Dozens of fixes for common coding problems like use after free,
use of possibly uninitialised memory, reading or writing past the
end of arrays and potential NULL pointer derefences. Spotted by
code analysis tools or human inspection.
* Documentation improvements.
* Fixes and improvements to the diagnostic or log messages printed by
vos, the fileserver and others.
* Build fixes, making parallel builds more reliable with certain
configuration options and helping various platforms including
recent releases of IRIX, Solaris and several flavours of Linux.
* Avoid sending a small amount of data over the wire unencrypted
under certain conditions, and emit the correct error message in
this case.
All server platforms
* Avoid generating duplicate IDs for readonly and backup volumes,
which could happen under certain conditions.
* Allow the fileserver to return volume data like quota or free space,
which is available publicly elsewhere, without the additional access
check for read permissions on a volume's root directory the fileserver
performed before.
* The fileserver now emits a log message when it ran out of memory for
callbacks.
* Avoid several potential fileserver problems, including memory
corruption and segmentation faults, due to client bookkeeping.
* Avoid known cases of silent data corruption due to background syncs
on the fileserver, especially during Copy on Write.
* Make the fileserver sync behaviour runtime configurable. Up to 1.4.5,
we had synchronous syncs which were safe but really slow. Since 1.4.5,
we've had asynchronous syncs which are much faster but believed to
be the cause of rare data corruption issues, and while all known cases
of these happening are believed to be fixed in the 1.6.3 release, doubts
remain. This change allows choosing between those, and in addition allows
to turn syncs by the fileserver off altogether, thus relying on the vice
partition's backend filesystem and the operating system, or to just
execute them when a volume is detached. The default behaviour is
unchanged from releases since 1.4.5, but it's highly recommended to
consider the additional options this change provides. Future OpenAFS
releases will default to "-sync=none".
* For dbservers, avoid a situation where misinterpreting transient
network errors causes long-term issues with achieving ubik quorum.
All UNIX client platforms
* Improvements to the detection of an aklog-specific krb5 configuration
file, for the purposes of turning on "weak crypto" for aklog.
* Fixed a regression introduced in release 1.6.2 which caused the
supposedly persistent disk cache to be discarded upon client start.
(RT #131655)
Linux clients
* Support Linux kernels up to 3.10
* Fixed two bugs making it impossible to unmount a disk cache filesystem
after it has been used by the client. (RT #131613)
* Fixed a bug that could cause an oops with kernels 3.6 and later
OpenBSD
* Improved support for OpenBSD 4.9 to 5.3
OpenAFS 1.6.3
This release number had to be skipped for technical reasons.
Diffstat (limited to 'filesystems/openafs')
| -rw-r--r-- | filesystems/openafs/Makefile | 6 | ||||
| -rw-r--r-- | filesystems/openafs/distinfo | 8 |
2 files changed, 7 insertions, 7 deletions
diff --git a/filesystems/openafs/Makefile b/filesystems/openafs/Makefile index 32539d85ed9..e70bd39fb93 100644 --- a/filesystems/openafs/Makefile +++ b/filesystems/openafs/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.4 2013/03/04 19:39:41 jakllsch Exp $ +# $NetBSD: Makefile,v 1.5 2013/09/17 01:04:12 jakllsch Exp $ -DISTNAME= openafs-1.6.2-src +DISTNAME= openafs-1.6.5-src PKGNAME= ${DISTNAME:C/-src//} CATEGORIES= filesystems net sysutils -MASTER_SITES= http://www.openafs.org/dl/openafs/1.6.2/ +MASTER_SITES= http://www.openafs.org/dl/openafs/1.6.5/ EXTRACT_SUFX= .tar.bz2 MAINTAINER= gendalia@NetBSD.org diff --git a/filesystems/openafs/distinfo b/filesystems/openafs/distinfo index d6afc23d853..12f7862805b 100644 --- a/filesystems/openafs/distinfo +++ b/filesystems/openafs/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.4 2013/03/04 19:39:41 jakllsch Exp $ +$NetBSD: distinfo,v 1.5 2013/09/17 01:04:12 jakllsch Exp $ -SHA1 (openafs-1.6.2-src.tar.bz2) = 3a5513c93bc9b1f58500cae2825d2a413952383f -RMD160 (openafs-1.6.2-src.tar.bz2) = 03a524e7b602775981c6dedfd7883ed1205a7464 -Size (openafs-1.6.2-src.tar.bz2) = 14378378 bytes +SHA1 (openafs-1.6.5-src.tar.bz2) = f0261d7fcd05610d2bb7dcf43c6bb21115476472 +RMD160 (openafs-1.6.5-src.tar.bz2) = 4f0eac7661c311e08b85f4195c712ee592a9b52c +Size (openafs-1.6.5-src.tar.bz2) = 14400420 bytes SHA1 (patch-Makefile.in) = 159d314975188f768e0046bf153711d1b5c6b89c SHA1 (patch-src_aklog_aklog.c) = 7a21b2bd338a3a1d00dc0cb99f1af206ab0c607c SHA1 (patch-src_comerr_Makefile.in) = dd5e996481d7ef908710868aa9dc1b65feb98717 |