krb5 commit: Remove ovsec_adm_export dump format support
Greg Hudson
ghudson at mit.edu
Wed Apr 17 13:05:39 EDT 2019
https://github.com/krb5/krb5/commit/23b93fd48bc445005436c5be98a7269b599b1800
commit 23b93fd48bc445005436c5be98a7269b599b1800
Author: Robbie Harwood <rharwood at redhat.com>
Date: Tue Jan 22 18:34:58 2019 -0500
Remove ovsec_adm_export dump format support
Dumping only suported single-DES principals. While importing still
functioned, it would only have been useful for extremely old (1.3-era)
KDCs.
ticket: 8798 (new)
doc/admin/admin_commands/kdb5_util.rst | 11 +---
doc/admin/database.rst | 14 ----
src/kadmin/dbutil/dump.c | 109 ++------------------------------
src/kadmin/dbutil/kdb5_util.c | 4 +-
src/man/kdb5_util.man | 15 +---
src/tests/Makefile.in | 6 --
src/tests/t_dump.py | 8 ---
7 files changed, 14 insertions(+), 153 deletions(-)
diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst
index fee6826..7dd54f7 100644
--- a/doc/admin/admin_commands/kdb5_util.rst
+++ b/doc/admin/admin_commands/kdb5_util.rst
@@ -136,7 +136,7 @@ dump
.. _kdb5_util_dump:
- **dump** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**]
+ **dump** [**-b7**\|\ **-r13**\|\ **-r18**]
[**-verbose**] [**-mkey_convert**] [**-new_mkey_file**
*mkey_file*] [**-rev**] [**-recurse**] [*filename*
[*principals*...]]
@@ -151,9 +151,6 @@ load_dump version 7". If filename is not specified, or is the string
load_dump version 4"). This was the dump format produced on
releases prior to 1.2.2.
-**-ov**
- causes the dump to be in "ovsec_adm_export" format.
-
**-r13**
causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
@@ -204,7 +201,7 @@ load
.. _kdb5_util_load:
- **load** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] [**-hash**]
+ **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**]
[**-verbose**] [**-update**] *filename*
Loads a database dump from the named file into the named database. If
@@ -222,10 +219,6 @@ Options:
("kdb5_util load_dump version 4"). This was the dump format
produced on releases prior to 1.2.2.
-**-ov**
- requires the database to be in "ovsec_adm_import" format. Must be
- used with the **-update** option.
-
**-r13**
requires the database to be in Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index 2b02af3..113a680 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -393,20 +393,6 @@ To dump a single principal and later load it, updating the database:
If the database file exists, and the *-update* flag was not
given, *kdb5_util* will overwrite the existing database.
-Using kdb5_util to upgrade a master KDC from krb5 1.1.x:
-
-::
-
- shell% kdb5_util dump old-kdb-dump
- shell% kdb5_util dump -ov old-kdb-dump.ov
- [Create a new KDC installation, using the old stash file/master password]
- shell% kdb5_util load old-kdb-dump
- shell% kdb5_util load -update old-kdb-dump.ov
-
-The use of old-kdb-dump.ov for an extra dump and load is necessary
-to preserve per-principal policy information, which is not included in
-the default dump format of krb5 1.1.x.
-
.. note::
Using kdb5_util to dump and reload the principal database is
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index c9574c6..301e347 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -475,83 +475,6 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry)
fprintf(arg->ofile, "\n");
}
-static void
-print_key_data(FILE *f, krb5_key_data *kd)
-{
- int c;
-
- fprintf(f, "%d\t%d\t", kd->key_data_type[0], kd->key_data_length[0]);
- for (c = 0; c < kd->key_data_length[0]; c++)
- fprintf(f, "%02x ", kd->key_data_contents[0][c]);
-}
-
-/* Output osa_adb_princ_ent data in a printable serialized format, suitable for
- * ovsec_adm_import consumption. */
-static krb5_error_code
-dump_ov_princ(krb5_context context, krb5_db_entry *entry, const char *name,
- FILE *fp, krb5_boolean verbose, krb5_boolean omit_nra)
-{
- char *princstr;
- unsigned int x;
- int y, foundcrc;
- krb5_tl_data tl_data;
- osa_princ_ent_rec adb;
- XDR xdrs;
- krb5_key_data *key_data;
-
- tl_data.tl_data_type = KRB5_TL_KADM_DATA;
- if (krb5_dbe_lookup_tl_data(context, entry, &tl_data) ||
- tl_data.tl_data_length == 0)
- return 0;
-
- memset(&adb, 0, sizeof(adb));
- xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents,
- tl_data.tl_data_length, XDR_DECODE);
- if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) {
- xdr_destroy(&xdrs);
- return KADM5_XDR_FAILURE;
- }
- xdr_destroy(&xdrs);
-
- krb5_unparse_name(context, entry->princ, &princstr);
- fprintf(fp, "princ\t%s\t", princstr);
- if (adb.policy == NULL)
- fputc('\t', fp);
- else
- fprintf(fp, "%s\t", adb.policy);
- fprintf(fp, "%lx\t%d\t%d\t%d", adb.aux_attributes, adb.old_key_len,
- adb.old_key_next, adb.admin_history_kvno);
-
- for (x = 0; x < adb.old_key_len; x++) {
- foundcrc = 0;
- for (y = 0; y < adb.old_keys[x].n_key_data; y++) {
- key_data = &adb.old_keys[x].key_data[y];
- if (key_data->key_data_type[0] != ENCTYPE_DES_CBC_CRC)
- continue;
- if (foundcrc) {
- fprintf(stderr, _("Warning! Multiple DES-CBC-CRC keys for "
- "principal %s; skipping duplicates.\n"),
- princstr);
- continue;
- }
- foundcrc++;
-
- fputc('\t', fp);
- print_key_data(fp, key_data);
- }
- if (!foundcrc) {
- fprintf(stderr, _("Warning! No DES-CBC-CRC key for principal %s, "
- "cannot generate OV-compatible record; "
- "skipping\n"), princstr);
- }
- }
-
- fputc('\n', fp);
- free(princstr);
- xdr_free(xdr_osa_princ_ent_rec, &adb);
- return 0;
-}
-
static krb5_error_code
dump_iterator(void *ptr, krb5_db_entry *entry)
{
@@ -1093,14 +1016,6 @@ process_k5beta7_record(krb5_context context, const char *fname, FILE *filep,
}
static int
-process_ov_record(krb5_context context, const char *fname, FILE *filep,
- krb5_boolean verbose, int *linenop)
-{
- return process_tagged(context, fname, filep, verbose, linenop,
- process_ov_principal, process_k5beta7_policy);
-}
-
-static int
process_r1_8_record(krb5_context context, const char *fname, FILE *filep,
krb5_boolean verbose, int *linenop)
{
@@ -1126,16 +1041,6 @@ dump_version beta7_version = {
dump_k5beta7_policy,
process_k5beta7_record,
};
-dump_version ov_version = {
- "OpenV*Secure V1.0",
- "OpenV*Secure V1.0\t",
- 1,
- 0,
- 0,
- dump_ov_princ,
- dump_k5beta7_policy,
- process_ov_record
-};
dump_version r1_3_version = {
"Kerberos version 5 release 1.3",
"kdb5_util load_dump version 5\n",
@@ -1258,7 +1163,7 @@ current_dump_sno_in_ulog(krb5_context context, const char *ifile)
/*
* usage is:
- * dump_db [-b7] [-ov] [-r13] [-r18] [-verbose] [-mkey_convert]
+ * dump_db [-b7] [-r13] [-r18] [-verbose] [-mkey_convert]
* [-new_mkey_file mkey_file] [-rev] [-recurse]
* [filename [principals...]]
*/
@@ -1293,7 +1198,8 @@ dump_db(int argc, char **argv)
if (!strcmp(argv[aindex], "-b7")) {
dump = &beta7_version;
} else if (!strcmp(argv[aindex], "-ov")) {
- dump = &ov_version;
+ fprintf(stderr, _("OV dump format not supported\n"));
+ goto error;
} else if (!strcmp(argv[aindex], "-r13")) {
dump = &r1_3_version;
} else if (!strcmp(argv[aindex], "-r18")) {
@@ -1506,8 +1412,7 @@ restore_dump(krb5_context context, char *dumpfile, FILE *f,
}
/*
- * Usage: load_db [-ov] [-b7] [-r13] [-r18] [-verbose] [-update] [-hash]
- * filename
+ * Usage: load_db [-b7] [-r13] [-r18] [-verbose] [-update] [-hash] filename
*/
void
load_db(int argc, char **argv)
@@ -1531,7 +1436,8 @@ load_db(int argc, char **argv)
if (!strcmp(argv[aindex], "-b7")){
load = &beta7_version;
} else if (!strcmp(argv[aindex], "-ov")) {
- load = &ov_version;
+ fprintf(stderr, _("OV dump format not supported\n"));
+ goto error;
} else if (!strcmp(argv[aindex], "-r13")) {
load = &r1_3_version;
} else if (!strcmp(argv[aindex], "-r18")){
@@ -1596,9 +1502,6 @@ load_db(int argc, char **argv)
load = &r1_8_version;
} else if (strcmp(buf, r1_11_version.header) == 0) {
load = &r1_11_version;
- } else if (strncmp(buf, ov_version.header,
- strlen(ov_version.header)) == 0) {
- load = &ov_version;
} else {
fprintf(stderr, _("%s: dump header bad in %s\n"), progname,
dumpfile);
diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
index accc959..e73e2c6 100644
--- a/src/kadmin/dbutil/kdb5_util.c
+++ b/src/kadmin/dbutil/kdb5_util.c
@@ -85,10 +85,10 @@ void usage()
"\tcreate [-s]\n"
"\tdestroy [-f]\n"
"\tstash [-f keyfile]\n"
- "\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n"
+ "\tdump [-old|-b6|-b7|-r13|-r18] [-verbose]\n"
"\t [-mkey_convert] [-new_mkey_file mkey_file]\n"
"\t [-rev] [-recurse] [filename [princs...]]\n"
- "\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] "
+ "\tload [-old|-b6|-b7|-r13|-r18] [-verbose] [-update] "
"filename\n"
"\tark [-e etype_list] principal\n"
"\tadd_mkey [-e etype] [-s]\n"
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 53d945e..9a36ef0 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KDB5_UTIL" "8" " " "1.17" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.18" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.
@@ -136,7 +136,7 @@ kdc.conf(5)\&.
.SS dump
.INDENT 0.0
.INDENT 3.5
-\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP]
+\fBdump\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP]
[\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP
\fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP
[\fIprincipals\fP\&...]]
@@ -154,9 +154,6 @@ causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
load_dump version 4"). This was the dump format produced on
releases prior to 1.2.2.
.TP
-\fB\-ov\fP
-causes the dump to be in "ovsec_adm_export" format.
-.TP
\fB\-r13\fP
causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
@@ -203,7 +200,7 @@ doing a normal dump instead of a recursive traversal.
.SS load
.INDENT 0.0
.INDENT 3.5
-\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP]
+\fBload\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP]
[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP
.UNINDENT
.UNINDENT
@@ -224,10 +221,6 @@ requires the database to be in the Kerberos 5 Beta 7 format
("kdb5_util load_dump version 4"). This was the dump format
produced on releases prior to 1.2.2.
.TP
-\fB\-ov\fP
-requires the database to be in "ovsec_adm_import" format. Must be
-used with the \fB\-update\fP option.
-.TP
\fB\-r13\fP
requires the database to be in Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
@@ -561,6 +554,6 @@ kadmin(1), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2018, MIT
+1985-2019, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 5afbe21..8afa0cd 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -100,7 +100,6 @@ kdb_check: kdc.conf krb5.conf
$(RUN_DB_TEST) ../tests/create/kdb5_mkdums $(KTEST_OPTS)
$(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS)
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
@echo "====> NOTE!"
@echo "The following 'create' command is needed due to a change"
@@ -108,16 +107,11 @@ kdb_check: kdc.conf krb5.conf
@echo ====
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump
$(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS)
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump2
sort $(TEST_DB).dump > $(TEST_DB).sort
sort $(TEST_DB).dump2 > $(TEST_DB).sort2
- sort $(TEST_DB).ovdump > $(TEST_DB).ovsort
- sort $(TEST_DB).ovdump2 > $(TEST_DB).ovsort2
cmp $(TEST_DB).sort $(TEST_DB).sort2
- cmp $(TEST_DB).ovsort $(TEST_DB).ovsort2
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
$(RM) $(TEST_DB)* stash_file
diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py
index d803d56..5d692df 100755
--- a/src/tests/t_dump.py
+++ b/src/tests/t_dump.py
@@ -73,7 +73,6 @@ for realm in multidb_realms(start_kdc=False):
srcdump_r18 = os.path.join(srcdumpdir, 'dump.r18')
srcdump_r13 = os.path.join(srcdumpdir, 'dump.r13')
srcdump_b7 = os.path.join(srcdumpdir, 'dump.b7')
- srcdump_ov = os.path.join(srcdumpdir, 'dump.ov')
# Load a dump file from the source directory.
realm.run([kdb5_util, 'destroy', '-f'])
@@ -86,17 +85,10 @@ for realm in multidb_realms(start_kdc=False):
dump_compare(realm, ['-r18'], srcdump_r18)
dump_compare(realm, ['-r13'], srcdump_r13)
dump_compare(realm, ['-b7'], srcdump_b7)
- dump_compare(realm, ['-ov'], srcdump_ov)
# Load each format of dump, check it, re-dump it, and compare.
load_dump_check_compare(realm, ['-r18'], srcdump_r18)
load_dump_check_compare(realm, ['-r13'], srcdump_r13)
load_dump_check_compare(realm, ['-b7'], srcdump_b7)
- # Loading the last (-b7 format) dump won't have loaded the
- # per-principal kadm data. Load that incrementally with -ov.
- realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: [none]')
- realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov])
- realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: testpol')
-
success('Dump/load tests')
More information about the cvs-krb5
mailing list