From 707673a5059f9cba18f6f2733a20ee2f9e639ae9 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 17 Apr 2019 16:17:17 -0400 Subject: [PATCH] Remove ovsec_adm_export and confvalidator --- Remove-confvalidator-utility.patch | 430 ++++++++++++++++++ ...ovsec_adm_export-dump-format-support.patch | 385 ++++++++++++++++ krb5.spec | 7 +- 3 files changed, 821 insertions(+), 1 deletion(-) create mode 100644 Remove-confvalidator-utility.patch create mode 100644 Remove-ovsec_adm_export-dump-format-support.patch diff --git a/Remove-confvalidator-utility.patch b/Remove-confvalidator-utility.patch new file mode 100644 index 0000000..d002286 --- /dev/null +++ b/Remove-confvalidator-utility.patch @@ -0,0 +1,430 @@ +From 32a6caec15bafd37fdf5746c08cf1a385166020e Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 3 Apr 2019 14:58:19 -0400 +Subject: [PATCH] Remove confvalidator utility + +This utility has not been maintained with encryption types and salt +changes, which suggests it is unused. + +(cherry picked from commit 482a366793d9338e9edb504b407d7704a4bb2f8f) +--- + src/util/confvalidator/README | 25 ---- + src/util/confvalidator/confparser.py | 144 ------------------- + src/util/confvalidator/rules.yml | 13 -- + src/util/confvalidator/validator.conf | 2 - + src/util/confvalidator/validator.py | 194 -------------------------- + 5 files changed, 378 deletions(-) + delete mode 100644 src/util/confvalidator/README + delete mode 100644 src/util/confvalidator/confparser.py + delete mode 100644 src/util/confvalidator/rules.yml + delete mode 100644 src/util/confvalidator/validator.conf + delete mode 100644 src/util/confvalidator/validator.py + +diff --git a/src/util/confvalidator/README b/src/util/confvalidator/README +deleted file mode 100644 +index 7bf7a106a..000000000 +--- a/src/util/confvalidator/README ++++ /dev/null +@@ -1,25 +0,0 @@ +-validator.py is a command line tool for identifying invalid attributes, values and some formating problems in Kerberos configuration files. +-The list of the valid attributes is created based on the “configuration variables” section in k5-int.h and user defined attributes from the rules file. +- +-Usage: +- +-validator.py path [-d defPath] [-r rulesPath] [-c validatorConfPath] +- +-Options: +- +-path – the path to the configuration file to validate +- +--d defPath – path to the k5-int.h file. Starting from the 1.7 release this header holds the profile attribute names in the form #define KRB5_CONF_xxx ”ZZZ”. +- +--r rulesPath - path the rules file in yaml format. It may be used to manage the list of the valid attributes and to define the additional validation rules. +- +--c validatorConfPath – the same as -r and -d options, but in validator configuration file format. +- +-Example: +- +-python validator.py src/config-files/krb5.conf -r rules.yml -d src/include/k5-int.h +-or +-python validator.py src/config-files/krb5.conf -c validator.conf +- +-For more details please refer to the sample files validator.conf and rules.yml +- +diff --git a/src/util/confvalidator/confparser.py b/src/util/confvalidator/confparser.py +deleted file mode 100644 +index 2fea142a5..000000000 +--- a/src/util/confvalidator/confparser.py ++++ /dev/null +@@ -1,144 +0,0 @@ +-''' +-Created on Jan 31, 2010 +- +-@author: tsitkova +-''' +-import re +-import copy +-import yaml +- +-class ConfParser(object): +- def __init__(self, path): +- self.configuration = self._parse(path) +- +- def walk(self): +- for trio in self._walk(self.configuration): +- yield trio +- +- def _parse(self, path): +- comment_pattern = re.compile(r'(\s*[#].*)') +- section_pattern = re.compile(r'^\s*\[(?P
\w+)\]\s+$') +- empty_pattern = re.compile(r'^\s*$') +- equalsign_pattern = re.compile(r'=') +- +- section = None +- parser_stack = list() +- result = dict() +- value = None +- f = open(path, 'r') +- for (ln,line) in enumerate(f): +- line = comment_pattern.sub('', line) +- line = equalsign_pattern.sub(' = ',line,count=1) +- if empty_pattern.match(line) is not None: +- continue +- m = section_pattern.match(line) +- if m is not None: +- section = m.group('section') +- value = dict() +- result[section] = value +- continue +- if section is None: +- msg = 'Failed to determine section for line #%i' % ln +- raise ValueError(msg) +- try: +- value = self._parseLine(value, line, parser_stack) +- except: +- print 'Error while parsing line %i: %s' % (ln+1, line) +- raise +- f.close() +- +- if len(parser_stack): +- raise 'Parsing error.' +- +- return result +- +- def _parseLine(self, value, content, stack): +- token_pattern = re.compile(r'(?P\S+)(?=\s+)') +- attr = None +- token_stack = list() +- +- for m in token_pattern.finditer(content): +- token = m.group('token') +- if not self._validate(token): +- raise ValueError('Invalid token %s' % token) +- if token == '=': +- if len(token_stack) == 0: +- raise ValueError('Failed to find attribute.') +- elif len(token_stack) == 1: +- attr = token_stack.pop() +- else: +- value[attr] = token_stack[:-1] +- attr = token_stack[-1] +- token_stack = list() +- elif token == '{': +- if attr is None: +- raise ValueError('Failed to find attribute.') +- stack.append((attr,value)) +- value = dict() +- elif token == '}': +- if len(stack) == 0: +- raise ValueError('Failed to parse: unbalanced braces') +- if len(token_stack): +- if attr is None: +- raise ValueError('Missing attribute') +- value[attr] = token_stack +- attr = None +- token_stack = list() +- (attr,parent_value) = stack.pop() +- parent_value[attr] = value +- value = parent_value +- else: +- token_stack.append(token) +- if len(token_stack): +- if attr is None: +- raise ValueError('Missing attribute') +- value[attr] = token_stack +- +- return value +- +- def _validate(self, token): +- result = True +- for s in ['{','}']: +- if s in token and s != token: +- result = False +- +- return result +- +- def _walk(self, parsedData, path='root'): +- dirs = list() +- av = list() +- for (key, value) in parsedData.iteritems(): +- if type(value) == dict: +- new_path = path + '.' + key +- for trio in self._walk(value, new_path): +- yield trio +- dirs.append(key) +- else: +- av.append((key,value)) +- yield (path, dirs, av) +- +- +- +-class ConfParserTest(ConfParser): +- def __init__(self): +- self.conf_path = '../tests/krb5.conf' +- super(ConfParserTest, self).__init__(self.conf_path) +- +- def run_tests(self): +- self._test_walk() +- +- def _test_parse(self): +- result = self._parse(self.conf_path) +- print yaml.dump(result) +- +- def _test_walk(self): +- configuration = self._parse(self.conf_path) +- for (path,dirs,av) in self.walk(): +- print path,dirs,av +- +- +- +- +-if __name__ == '__main__': +- tester = ConfParserTest() +- tester.run_tests() +diff --git a/src/util/confvalidator/rules.yml b/src/util/confvalidator/rules.yml +deleted file mode 100644 +index c6ccc89fe..000000000 +--- a/src/util/confvalidator/rules.yml ++++ /dev/null +@@ -1,13 +0,0 @@ +-# Extend the list of the allowed enctypes and salts as needed +-Types: +- supported_enctypes: +- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)(:(normal|v4))?$' +- default_tgs_enctypes: +- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)' +- default_tkt_enctypes: +- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)' +- +-# Add all valid profile attributes that are not listed in k5-int.h +-Attributes: +- - logging +- - dbmodules +diff --git a/src/util/confvalidator/validator.conf b/src/util/confvalidator/validator.conf +deleted file mode 100644 +index 71e205c3b..000000000 +--- a/src/util/confvalidator/validator.conf ++++ /dev/null +@@ -1,2 +0,0 @@ +-RulesPath=./rules.yml +-HfilePath=../../include/k5-int.h +diff --git a/src/util/confvalidator/validator.py b/src/util/confvalidator/validator.py +deleted file mode 100644 +index d739bc091..000000000 +--- a/src/util/confvalidator/validator.py ++++ /dev/null +@@ -1,194 +0,0 @@ +-''' +-Created on Jan 25, 2010 +- +-@author: tsitkova +-''' +-import os +-import sys +-import re +-import yaml +-from optparse import OptionParser +-from confparser import ConfParser +- +-class Rule(object): +- def __init__(self): +- pass +- +- def validate(self,node): +- (path,dirs,avs) = node +- +- +-class Validator(object): +- def __init__(self, kerberosPath, confPath=None, rulesPath=None, hfilePath=None): +- self.parser = ConfParser(kerberosPath) +- if confPath is not None: +- content = self._readConfigFile(confPath) +- rulesPath = content['RulesPath'] +- hfilePath = content['HfilePath'] +- if rulesPath is not None and hfilePath is not None: +- self.rules = self._loadRules(rulesPath) +- self.validKeys = SupportedKeys(hfilePath).validKeys.union(self.rules['Attributes']) +- else: +- raise ValueError('Invalid arguments for validator: no path to rules and definition files') +- +- self._attribute_pattern = re.compile(r'^\w+$') +- self._lowercase_pattern = re.compile(r'[a-z]') +- +- def _readConfigFile(self,path): +- f = open(path) +- result = dict() +- for line in f: +- line = line.rstrip() +- fields = line.split('=') +- result[fields[0]] = fields[1] +- +- return result +- +- def _loadRules(self, path): +- f = open(path) +- rules = yaml.load(f) +- f.close() +- +- return rules +- +- def validate(self): +- typeInfo = self.rules['Types'] +- +- for node in self.parser.walk(): +- self._validateTypes(node, typeInfo) +- self._validateAttrubutes(node, self.validKeys) +- # self._validateRealm(node) +- +- +- def _validateTypes(self, node, typeInfo): +- (path, dirs, avs) = node +- for (key, value) in avs: +- valid_type_pattern = typeInfo.get(key) +- if valid_type_pattern is not None: +- for t in value: +- if re.match(valid_type_pattern, t) is None: +- print 'Wrong type %s for attribute %s.%s' % (t,path,key) +- +- def _validateAttrubutes(self, node, validKeys): +- (path, dirs, avs) = node +- attributes = list() +- for attr in dirs: +- if self._attribute_pattern.match(attr) is not None: +- attributes.append(attr) +- for (attr, value) in avs: +- if self._attribute_pattern.match(attr) is not None: +- attributes.append(attr) +- +- for attr in attributes: +- if attr not in validKeys: +- print 'Unrecognized attribute %s at %s' % (attr, path) +- +-# def _validateRealm(self, node): +-# (path, dirs, avs) = node +-# if path == 'root.realms': +-# for attr in dirs: +-# if self._lowercase_pattern.search(attr) is not None: +-# print 'Lower case letter in realm attribute: %s at %s' % (attr, path) +- +-class SupportedKeys(object): +- def __init__(self, path): +- self.validKeys = self.getKeysFromHfile(path) +- +- def getKeysFromHfile(self, path): +- pattern = re.compile(r'^[#]define KRB5_CONF_\w+\s+["](\w+)["]') +- f = open(path) +- result = set() +- for l in f: +- l = l.rstrip() +- m = pattern.match(l) +- if m is not None: +- result.add(m.groups()[0]) +- f.close() +- +- return result +- +- +-class ValidatorTest(Validator): +- def __init__(self): +- self.kerberosPath = '../tests/kdc1.conf' +- self.rulesPath = '../tests/rules.yml' +- self.hfilePath = '../tests/k5-int.h' +- self.confPath = '../tests/validator.conf' +- +- super(ValidatorTest, self).__init__(self.kerberosPath, +- rulesPath=self.rulesPath, +- hfilePath=self.hfilePath) +- +- def run_tests(self): +- self._test_validate() +- +- def _test__loadRules(self): +- result = self._loadRules(self.rulesPath) +- print result +- +- def _test_validate(self): +- self.validate() +- +- def _test__readConfigFile(self): +- result = self._readConfigFile(self.confPath) +- print result +- +-class SupportedKeysTest(SupportedKeys): +- def __init__(self): +- self.path = '../tests/k5-int.h' +- +- def run_tests(self): +- self._test_getKeysFromHFile() +- +- def _test_getKeysFromHFile(self): +- result = set() +- krb5keys = self.getKeysFromHfile(self.path) +- for key in krb5keys: +- print key +- result.update(key) +- print len(krb5keys) +- +- return result +- +-def _test(): +- tester = ValidatorTest() +- krb5keys = tester.run_tests() +- +-if __name__ == '__main__': +- TEST = False +- if TEST: +- _test() +- sys.exit() +- +- +- usage = "\n\t%prog path [-d defPath] [-r rulesPath] [-c validatorConfPath]" +- description = 'Description: validates kerberos configuration file' +- parser = OptionParser(usage = usage, description = description) +- parser.add_option("-c", dest="confPath", +- help='path to validator config file') +- parser.add_option("-d", dest="hfilePath", +- help='path to h-file with attribute definition') +- parser.add_option("-r", dest="rulesPath", +- help='path to file with validation rules') +- (options, args) = parser.parse_args() +- +- if len(args) != 1 and len(sys.argv) <= 3: +- print '\n%s' % parser.get_usage() +- sys.exit() +- +- validator = None +- if options.confPath is not None: +- validator = Validator(args[0], confPath=options.confPath) +- elif options.hfilePath is not None and options.rulesPath is not None: +- validator = Validator(args[0], hfilePath=options.hfilePath, rulesPath=options.rulesPath) +- else: +- print '\nMust specify either configuration file or paths to rules and definitions files' +- print '%s' % parser.get_usage() +- sys.exit() +- +- validator.validate() +- +- +- +- +- diff --git a/Remove-ovsec_adm_export-dump-format-support.patch b/Remove-ovsec_adm_export-dump-format-support.patch new file mode 100644 index 0000000..12008d6 --- /dev/null +++ b/Remove-ovsec_adm_export-dump-format-support.patch @@ -0,0 +1,385 @@ +From 34bde16a10c0cf0f05732376b955af0302af155d Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 22 Jan 2019 18:34:58 -0500 +Subject: [PATCH] Remove ovsec_adm_export dump format support + +Dumping only suported single-DES principals. While importing still +functioned, it would only have been useful for extremely old (1.3-era) +KDCs. + +ticket: 8798 (new) +(cherry picked from commit 23b93fd48bc445005436c5be98a7269b599b1800) +--- + doc/admin/admin_commands/kdb5_util.rst | 11 +-- + doc/admin/database.rst | 14 ---- + src/kadmin/dbutil/dump.c | 109 ++----------------------- + src/kadmin/dbutil/kdb5_util.c | 4 +- + src/man/kdb5_util.man | 13 +-- + src/tests/Makefile.in | 6 -- + src/tests/t_dump.py | 8 -- + 7 files changed, 13 insertions(+), 152 deletions(-) + +diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst +index fee68261a..7dd54f797 100644 +--- a/doc/admin/admin_commands/kdb5_util.rst ++++ b/doc/admin/admin_commands/kdb5_util.rst +@@ -136,7 +136,7 @@ dump + + .. _kdb5_util_dump: + +- **dump** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] ++ **dump** [**-b7**\|\ **-r13**\|\ **-r18**] + [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** + *mkey_file*] [**-rev**] [**-recurse**] [*filename* + [*principals*...]] +@@ -151,9 +151,6 @@ load_dump version 7". If filename is not specified, or is the string + load_dump version 4"). This was the dump format produced on + releases prior to 1.2.2. + +-**-ov** +- causes the dump to be in "ovsec_adm_export" format. +- + **-r13** + causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util + load_dump version 5"). This was the dump format produced on +@@ -204,7 +201,7 @@ load + + .. _kdb5_util_load: + +- **load** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] [**-hash**] ++ **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**] + [**-verbose**] [**-update**] *filename* + + Loads a database dump from the named file into the named database. If +@@ -222,10 +219,6 @@ Options: + ("kdb5_util load_dump version 4"). This was the dump format + produced on releases prior to 1.2.2. + +-**-ov** +- requires the database to be in "ovsec_adm_import" format. Must be +- used with the **-update** option. +- + **-r13** + requires the database to be in Kerberos 5 1.3 format ("kdb5_util + load_dump version 5"). This was the dump format produced on +diff --git a/doc/admin/database.rst b/doc/admin/database.rst +index 2b02af3a0..113a680a6 100644 +--- a/doc/admin/database.rst ++++ b/doc/admin/database.rst +@@ -393,20 +393,6 @@ To dump a single principal and later load it, updating the database: + If the database file exists, and the *-update* flag was not + given, *kdb5_util* will overwrite the existing database. + +-Using kdb5_util to upgrade a master KDC from krb5 1.1.x: +- +-:: +- +- shell% kdb5_util dump old-kdb-dump +- shell% kdb5_util dump -ov old-kdb-dump.ov +- [Create a new KDC installation, using the old stash file/master password] +- shell% kdb5_util load old-kdb-dump +- shell% kdb5_util load -update old-kdb-dump.ov +- +-The use of old-kdb-dump.ov for an extra dump and load is necessary +-to preserve per-principal policy information, which is not included in +-the default dump format of krb5 1.1.x. +- + .. note:: + + Using kdb5_util to dump and reload the principal database is +diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c +index 8301a33d0..19f2cc230 100644 +--- a/src/kadmin/dbutil/dump.c ++++ b/src/kadmin/dbutil/dump.c +@@ -484,83 +484,6 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry) + fprintf(arg->ofile, "\n"); + } + +-static void +-print_key_data(FILE *f, krb5_key_data *kd) +-{ +- int c; +- +- fprintf(f, "%d\t%d\t", kd->key_data_type[0], kd->key_data_length[0]); +- for (c = 0; c < kd->key_data_length[0]; c++) +- fprintf(f, "%02x ", kd->key_data_contents[0][c]); +-} +- +-/* Output osa_adb_princ_ent data in a printable serialized format, suitable for +- * ovsec_adm_import consumption. */ +-static krb5_error_code +-dump_ov_princ(krb5_context context, krb5_db_entry *entry, const char *name, +- FILE *fp, krb5_boolean verbose, krb5_boolean omit_nra) +-{ +- char *princstr; +- unsigned int x; +- int y, foundcrc; +- krb5_tl_data tl_data; +- osa_princ_ent_rec adb; +- XDR xdrs; +- krb5_key_data *key_data; +- +- tl_data.tl_data_type = KRB5_TL_KADM_DATA; +- if (krb5_dbe_lookup_tl_data(context, entry, &tl_data) || +- tl_data.tl_data_length == 0) +- return 0; +- +- memset(&adb, 0, sizeof(adb)); +- xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents, +- tl_data.tl_data_length, XDR_DECODE); +- if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) { +- xdr_destroy(&xdrs); +- return KADM5_XDR_FAILURE; +- } +- xdr_destroy(&xdrs); +- +- krb5_unparse_name(context, entry->princ, &princstr); +- fprintf(fp, "princ\t%s\t", princstr); +- if (adb.policy == NULL) +- fputc('\t', fp); +- else +- fprintf(fp, "%s\t", adb.policy); +- fprintf(fp, "%lx\t%d\t%d\t%d", adb.aux_attributes, adb.old_key_len, +- adb.old_key_next, adb.admin_history_kvno); +- +- for (x = 0; x < adb.old_key_len; x++) { +- foundcrc = 0; +- for (y = 0; y < adb.old_keys[x].n_key_data; y++) { +- key_data = &adb.old_keys[x].key_data[y]; +- if (key_data->key_data_type[0] != ENCTYPE_DES_CBC_CRC) +- continue; +- if (foundcrc) { +- fprintf(stderr, _("Warning! Multiple DES-CBC-CRC keys for " +- "principal %s; skipping duplicates.\n"), +- princstr); +- continue; +- } +- foundcrc++; +- +- fputc('\t', fp); +- print_key_data(fp, key_data); +- } +- if (!foundcrc) { +- fprintf(stderr, _("Warning! No DES-CBC-CRC key for principal %s, " +- "cannot generate OV-compatible record; " +- "skipping\n"), princstr); +- } +- } +- +- fputc('\n', fp); +- free(princstr); +- xdr_free(xdr_osa_princ_ent_rec, &adb); +- return 0; +-} +- + static krb5_error_code + dump_iterator(void *ptr, krb5_db_entry *entry) + { +@@ -1101,14 +1024,6 @@ process_k5beta7_record(krb5_context context, const char *fname, FILE *filep, + process_k5beta7_princ, process_k5beta7_policy); + } + +-static int +-process_ov_record(krb5_context context, const char *fname, FILE *filep, +- krb5_boolean verbose, int *linenop) +-{ +- return process_tagged(context, fname, filep, verbose, linenop, +- process_ov_principal, process_k5beta7_policy); +-} +- + static int + process_r1_8_record(krb5_context context, const char *fname, FILE *filep, + krb5_boolean verbose, int *linenop) +@@ -1135,16 +1050,6 @@ dump_version beta7_version = { + dump_k5beta7_policy, + process_k5beta7_record, + }; +-dump_version ov_version = { +- "OpenV*Secure V1.0", +- "OpenV*Secure V1.0\t", +- 1, +- 0, +- 0, +- dump_ov_princ, +- dump_k5beta7_policy, +- process_ov_record +-}; + dump_version r1_3_version = { + "Kerberos version 5 release 1.3", + "kdb5_util load_dump version 5\n", +@@ -1267,7 +1172,7 @@ current_dump_sno_in_ulog(krb5_context context, const char *ifile) + + /* + * usage is: +- * dump_db [-b7] [-ov] [-r13] [-r18] [-verbose] [-mkey_convert] ++ * dump_db [-b7] [-r13] [-r18] [-verbose] [-mkey_convert] + * [-new_mkey_file mkey_file] [-rev] [-recurse] + * [filename [principals...]] + */ +@@ -1302,7 +1207,8 @@ dump_db(int argc, char **argv) + if (!strcmp(argv[aindex], "-b7")) { + dump = &beta7_version; + } else if (!strcmp(argv[aindex], "-ov")) { +- dump = &ov_version; ++ fprintf(stderr, _("OV dump format not supported\n")); ++ goto error; + } else if (!strcmp(argv[aindex], "-r13")) { + dump = &r1_3_version; + } else if (!strcmp(argv[aindex], "-r18")) { +@@ -1515,8 +1421,7 @@ restore_dump(krb5_context context, char *dumpfile, FILE *f, + } + + /* +- * Usage: load_db [-ov] [-b7] [-r13] [-r18] [-verbose] [-update] [-hash] +- * filename ++ * Usage: load_db [-b7] [-r13] [-r18] [-verbose] [-update] [-hash] filename + */ + void + load_db(int argc, char **argv) +@@ -1540,7 +1445,8 @@ load_db(int argc, char **argv) + if (!strcmp(argv[aindex], "-b7")){ + load = &beta7_version; + } else if (!strcmp(argv[aindex], "-ov")) { +- load = &ov_version; ++ fprintf(stderr, _("OV dump format not supported\n")); ++ goto error; + } else if (!strcmp(argv[aindex], "-r13")) { + load = &r1_3_version; + } else if (!strcmp(argv[aindex], "-r18")){ +@@ -1605,9 +1511,6 @@ load_db(int argc, char **argv) + load = &r1_8_version; + } else if (strcmp(buf, r1_11_version.header) == 0) { + load = &r1_11_version; +- } else if (strncmp(buf, ov_version.header, +- strlen(ov_version.header)) == 0) { +- load = &ov_version; + } else { + fprintf(stderr, _("%s: dump header bad in %s\n"), progname, + dumpfile); +diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c +index accc959e0..e73e2c68e 100644 +--- a/src/kadmin/dbutil/kdb5_util.c ++++ b/src/kadmin/dbutil/kdb5_util.c +@@ -85,10 +85,10 @@ void usage() + "\tcreate [-s]\n" + "\tdestroy [-f]\n" + "\tstash [-f keyfile]\n" +- "\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" ++ "\tdump [-old|-b6|-b7|-r13|-r18] [-verbose]\n" + "\t [-mkey_convert] [-new_mkey_file mkey_file]\n" + "\t [-rev] [-recurse] [filename [princs...]]\n" +- "\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] " ++ "\tload [-old|-b6|-b7|-r13|-r18] [-verbose] [-update] " + "filename\n" + "\tark [-e etype_list] principal\n" + "\tadd_mkey [-e etype] [-s]\n" +diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man +index 5ebc68a57..9a36ef0df 100644 +--- a/src/man/kdb5_util.man ++++ b/src/man/kdb5_util.man +@@ -1,6 +1,6 @@ + .\" Man page generated from reStructuredText. + . +-.TH "KDB5_UTIL" "8" " " "1.17" "MIT Kerberos" ++.TH "KDB5_UTIL" "8" " " "1.18" "MIT Kerberos" + .SH NAME + kdb5_util \- Kerberos database maintenance utility + . +@@ -136,7 +136,7 @@ kdc.conf(5)\&. + .SS dump + .INDENT 0.0 + .INDENT 3.5 +-\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] ++\fBdump\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP] + [\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP + \fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP + [\fIprincipals\fP\&...]] +@@ -154,9 +154,6 @@ causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util + load_dump version 4"). This was the dump format produced on + releases prior to 1.2.2. + .TP +-\fB\-ov\fP +-causes the dump to be in "ovsec_adm_export" format. +-.TP + \fB\-r13\fP + causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util + load_dump version 5"). This was the dump format produced on +@@ -203,7 +200,7 @@ doing a normal dump instead of a recursive traversal. + .SS load + .INDENT 0.0 + .INDENT 3.5 +-\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP] ++\fBload\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP] + [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP + .UNINDENT + .UNINDENT +@@ -224,10 +221,6 @@ requires the database to be in the Kerberos 5 Beta 7 format + ("kdb5_util load_dump version 4"). This was the dump format + produced on releases prior to 1.2.2. + .TP +-\fB\-ov\fP +-requires the database to be in "ovsec_adm_import" format. Must be +-used with the \fB\-update\fP option. +-.TP + \fB\-r13\fP + requires the database to be in Kerberos 5 1.3 format ("kdb5_util + load_dump version 5"). This was the dump format produced on +diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in +index e27617ee2..c96c5d6b7 100644 +--- a/src/tests/Makefile.in ++++ b/src/tests/Makefile.in +@@ -97,7 +97,6 @@ kdb_check: kdc.conf krb5.conf + $(RUN_DB_TEST) ../tests/create/kdb5_mkdums $(KTEST_OPTS) + $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS) + $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump +- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump + $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f + @echo "====> NOTE!" + @echo "The following 'create' command is needed due to a change" +@@ -105,16 +104,11 @@ kdb_check: kdc.conf krb5.conf + @echo ==== + $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W + $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump +- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump + $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS) + $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2 +- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump2 + sort $(TEST_DB).dump > $(TEST_DB).sort + sort $(TEST_DB).dump2 > $(TEST_DB).sort2 +- sort $(TEST_DB).ovdump > $(TEST_DB).ovsort +- sort $(TEST_DB).ovdump2 > $(TEST_DB).ovsort2 + cmp $(TEST_DB).sort $(TEST_DB).sort2 +- cmp $(TEST_DB).ovsort $(TEST_DB).ovsort2 + $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f + $(RM) $(TEST_DB)* stash_file + +diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py +index d803d5602..5d692df99 100755 +--- a/src/tests/t_dump.py ++++ b/src/tests/t_dump.py +@@ -73,7 +73,6 @@ for realm in multidb_realms(start_kdc=False): + srcdump_r18 = os.path.join(srcdumpdir, 'dump.r18') + srcdump_r13 = os.path.join(srcdumpdir, 'dump.r13') + srcdump_b7 = os.path.join(srcdumpdir, 'dump.b7') +- srcdump_ov = os.path.join(srcdumpdir, 'dump.ov') + + # Load a dump file from the source directory. + realm.run([kdb5_util, 'destroy', '-f']) +@@ -86,17 +85,10 @@ for realm in multidb_realms(start_kdc=False): + dump_compare(realm, ['-r18'], srcdump_r18) + dump_compare(realm, ['-r13'], srcdump_r13) + dump_compare(realm, ['-b7'], srcdump_b7) +- dump_compare(realm, ['-ov'], srcdump_ov) + + # Load each format of dump, check it, re-dump it, and compare. + load_dump_check_compare(realm, ['-r18'], srcdump_r18) + load_dump_check_compare(realm, ['-r13'], srcdump_r13) + load_dump_check_compare(realm, ['-b7'], srcdump_b7) + +- # Loading the last (-b7 format) dump won't have loaded the +- # per-principal kadm data. Load that incrementally with -ov. +- realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: [none]') +- realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov]) +- realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: testpol') +- + success('Dump/load tests') diff --git a/krb5.spec b/krb5.spec index d8a4805..9863c9f 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 10%{?dist} +Release: 11%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -81,6 +81,8 @@ Patch108: Remove-ccapi-related-comments-in-configure.ac.patch Patch109: Remove-doxygen-generated-HTML-output-for-ccapi.patch Patch110: Remove-Kerberos-v4-support-vestiges-from-ccapi.patch Patch111: Fix-config-realm-change-logic-in-FILE-remove_cred.patch +Patch112: Remove-confvalidator-utility.patch +Patch113: Remove-ovsec_adm_export-dump-format-support.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -717,6 +719,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Apr 17 2019 Robbie Harwood - 1.17-11 +- Remove ovsec_adm_export and confvalidator + * Wed Apr 17 2019 Robbie Harwood - 1.17-10 - Fix config realm change logic in FILE remove_cred