From 56be395114bed8e8dd41b91e41e233637488d3ab Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 22 Jan 2019 18:34:58 -0500 Subject: [PATCH] Remove ovsec_adm_export dump format support Dumping only suported single-DES principals. While importing still functioned, it would only have been useful for extremely old (1.3-era) KDCs. ticket: 8798 (new) (cherry picked from commit 23b93fd48bc445005436c5be98a7269b599b1800) --- doc/admin/admin_commands/kdb5_util.rst | 11 +-- doc/admin/database.rst | 14 ---- src/kadmin/dbutil/dump.c | 109 ++----------------------- src/kadmin/dbutil/kdb5_util.c | 4 +- src/man/kdb5_util.man | 13 +-- src/tests/Makefile.in | 6 -- src/tests/t_dump.py | 8 -- 7 files changed, 13 insertions(+), 152 deletions(-) diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst index fee68261a..7dd54f797 100644 --- a/doc/admin/admin_commands/kdb5_util.rst +++ b/doc/admin/admin_commands/kdb5_util.rst @@ -136,7 +136,7 @@ dump .. _kdb5_util_dump: - **dump** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] + **dump** [**-b7**\|\ **-r13**\|\ **-r18**] [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** *mkey_file*] [**-rev**] [**-recurse**] [*filename* [*principals*...]] @@ -151,9 +151,6 @@ load_dump version 7". If filename is not specified, or is the string load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. -**-ov** - causes the dump to be in "ovsec_adm_export" format. - **-r13** causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on @@ -204,7 +201,7 @@ load .. _kdb5_util_load: - **load** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] [**-hash**] + **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**] [**-verbose**] [**-update**] *filename* Loads a database dump from the named file into the named database. If @@ -222,10 +219,6 @@ Options: ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. -**-ov** - requires the database to be in "ovsec_adm_import" format. Must be - used with the **-update** option. - **-r13** requires the database to be in Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on diff --git a/doc/admin/database.rst b/doc/admin/database.rst index 2b02af3a0..113a680a6 100644 --- a/doc/admin/database.rst +++ b/doc/admin/database.rst @@ -393,20 +393,6 @@ To dump a single principal and later load it, updating the database: If the database file exists, and the *-update* flag was not given, *kdb5_util* will overwrite the existing database. -Using kdb5_util to upgrade a master KDC from krb5 1.1.x: - -:: - - shell% kdb5_util dump old-kdb-dump - shell% kdb5_util dump -ov old-kdb-dump.ov - [Create a new KDC installation, using the old stash file/master password] - shell% kdb5_util load old-kdb-dump - shell% kdb5_util load -update old-kdb-dump.ov - -The use of old-kdb-dump.ov for an extra dump and load is necessary -to preserve per-principal policy information, which is not included in -the default dump format of krb5 1.1.x. - .. note:: Using kdb5_util to dump and reload the principal database is diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index 8301a33d0..19f2cc230 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -484,83 +484,6 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry) fprintf(arg->ofile, "\n"); } -static void -print_key_data(FILE *f, krb5_key_data *kd) -{ - int c; - - fprintf(f, "%d\t%d\t", kd->key_data_type[0], kd->key_data_length[0]); - for (c = 0; c < kd->key_data_length[0]; c++) - fprintf(f, "%02x ", kd->key_data_contents[0][c]); -} - -/* Output osa_adb_princ_ent data in a printable serialized format, suitable for - * ovsec_adm_import consumption. */ -static krb5_error_code -dump_ov_princ(krb5_context context, krb5_db_entry *entry, const char *name, - FILE *fp, krb5_boolean verbose, krb5_boolean omit_nra) -{ - char *princstr; - unsigned int x; - int y, foundcrc; - krb5_tl_data tl_data; - osa_princ_ent_rec adb; - XDR xdrs; - krb5_key_data *key_data; - - tl_data.tl_data_type = KRB5_TL_KADM_DATA; - if (krb5_dbe_lookup_tl_data(context, entry, &tl_data) || - tl_data.tl_data_length == 0) - return 0; - - memset(&adb, 0, sizeof(adb)); - xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents, - tl_data.tl_data_length, XDR_DECODE); - if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) { - xdr_destroy(&xdrs); - return KADM5_XDR_FAILURE; - } - xdr_destroy(&xdrs); - - krb5_unparse_name(context, entry->princ, &princstr); - fprintf(fp, "princ\t%s\t", princstr); - if (adb.policy == NULL) - fputc('\t', fp); - else - fprintf(fp, "%s\t", adb.policy); - fprintf(fp, "%lx\t%d\t%d\t%d", adb.aux_attributes, adb.old_key_len, - adb.old_key_next, adb.admin_history_kvno); - - for (x = 0; x < adb.old_key_len; x++) { - foundcrc = 0; - for (y = 0; y < adb.old_keys[x].n_key_data; y++) { - key_data = &adb.old_keys[x].key_data[y]; - if (key_data->key_data_type[0] != ENCTYPE_DES_CBC_CRC) - continue; - if (foundcrc) { - fprintf(stderr, _("Warning! Multiple DES-CBC-CRC keys for " - "principal %s; skipping duplicates.\n"), - princstr); - continue; - } - foundcrc++; - - fputc('\t', fp); - print_key_data(fp, key_data); - } - if (!foundcrc) { - fprintf(stderr, _("Warning! No DES-CBC-CRC key for principal %s, " - "cannot generate OV-compatible record; " - "skipping\n"), princstr); - } - } - - fputc('\n', fp); - free(princstr); - xdr_free(xdr_osa_princ_ent_rec, &adb); - return 0; -} - static krb5_error_code dump_iterator(void *ptr, krb5_db_entry *entry) { @@ -1101,14 +1024,6 @@ process_k5beta7_record(krb5_context context, const char *fname, FILE *filep, process_k5beta7_princ, process_k5beta7_policy); } -static int -process_ov_record(krb5_context context, const char *fname, FILE *filep, - krb5_boolean verbose, int *linenop) -{ - return process_tagged(context, fname, filep, verbose, linenop, - process_ov_principal, process_k5beta7_policy); -} - static int process_r1_8_record(krb5_context context, const char *fname, FILE *filep, krb5_boolean verbose, int *linenop) @@ -1135,16 +1050,6 @@ dump_version beta7_version = { dump_k5beta7_policy, process_k5beta7_record, }; -dump_version ov_version = { - "OpenV*Secure V1.0", - "OpenV*Secure V1.0\t", - 1, - 0, - 0, - dump_ov_princ, - dump_k5beta7_policy, - process_ov_record -}; dump_version r1_3_version = { "Kerberos version 5 release 1.3", "kdb5_util load_dump version 5\n", @@ -1267,7 +1172,7 @@ current_dump_sno_in_ulog(krb5_context context, const char *ifile) /* * usage is: - * dump_db [-b7] [-ov] [-r13] [-r18] [-verbose] [-mkey_convert] + * dump_db [-b7] [-r13] [-r18] [-verbose] [-mkey_convert] * [-new_mkey_file mkey_file] [-rev] [-recurse] * [filename [principals...]] */ @@ -1302,7 +1207,8 @@ dump_db(int argc, char **argv) if (!strcmp(argv[aindex], "-b7")) { dump = &beta7_version; } else if (!strcmp(argv[aindex], "-ov")) { - dump = &ov_version; + fprintf(stderr, _("OV dump format not supported\n")); + goto error; } else if (!strcmp(argv[aindex], "-r13")) { dump = &r1_3_version; } else if (!strcmp(argv[aindex], "-r18")) { @@ -1515,8 +1421,7 @@ restore_dump(krb5_context context, char *dumpfile, FILE *f, } /* - * Usage: load_db [-ov] [-b7] [-r13] [-r18] [-verbose] [-update] [-hash] - * filename + * Usage: load_db [-b7] [-r13] [-r18] [-verbose] [-update] [-hash] filename */ void load_db(int argc, char **argv) @@ -1540,7 +1445,8 @@ load_db(int argc, char **argv) if (!strcmp(argv[aindex], "-b7")){ load = &beta7_version; } else if (!strcmp(argv[aindex], "-ov")) { - load = &ov_version; + fprintf(stderr, _("OV dump format not supported\n")); + goto error; } else if (!strcmp(argv[aindex], "-r13")) { load = &r1_3_version; } else if (!strcmp(argv[aindex], "-r18")){ @@ -1605,9 +1511,6 @@ load_db(int argc, char **argv) load = &r1_8_version; } else if (strcmp(buf, r1_11_version.header) == 0) { load = &r1_11_version; - } else if (strncmp(buf, ov_version.header, - strlen(ov_version.header)) == 0) { - load = &ov_version; } else { fprintf(stderr, _("%s: dump header bad in %s\n"), progname, dumpfile); diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index accc959e0..e73e2c68e 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -85,10 +85,10 @@ void usage() "\tcreate [-s]\n" "\tdestroy [-f]\n" "\tstash [-f keyfile]\n" - "\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" + "\tdump [-old|-b6|-b7|-r13|-r18] [-verbose]\n" "\t [-mkey_convert] [-new_mkey_file mkey_file]\n" "\t [-rev] [-recurse] [filename [princs...]]\n" - "\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] " + "\tload [-old|-b6|-b7|-r13|-r18] [-verbose] [-update] " "filename\n" "\tark [-e etype_list] principal\n" "\tadd_mkey [-e etype] [-s]\n" diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man index 5ebc68a57..9a36ef0df 100644 --- a/src/man/kdb5_util.man +++ b/src/man/kdb5_util.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KDB5_UTIL" "8" " " "1.17" "MIT Kerberos" +.TH "KDB5_UTIL" "8" " " "1.18" "MIT Kerberos" .SH NAME kdb5_util \- Kerberos database maintenance utility . @@ -136,7 +136,7 @@ kdc.conf(5)\&. .SS dump .INDENT 0.0 .INDENT 3.5 -\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] +\fBdump\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP\&...]] @@ -154,9 +154,6 @@ causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. .TP -\fB\-ov\fP -causes the dump to be in "ovsec_adm_export" format. -.TP \fB\-r13\fP causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on @@ -203,7 +200,7 @@ doing a normal dump instead of a recursive traversal. .SS load .INDENT 0.0 .INDENT 3.5 -\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP] +\fBload\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP] [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP .UNINDENT .UNINDENT @@ -224,10 +221,6 @@ requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. .TP -\fB\-ov\fP -requires the database to be in "ovsec_adm_import" format. Must be -used with the \fB\-update\fP option. -.TP \fB\-r13\fP requires the database to be in Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index e27617ee2..c96c5d6b7 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -97,7 +97,6 @@ kdb_check: kdc.conf krb5.conf $(RUN_DB_TEST) ../tests/create/kdb5_mkdums $(KTEST_OPTS) $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS) $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f @echo "====> NOTE!" @echo "The following 'create' command is needed due to a change" @@ -105,16 +104,11 @@ kdb_check: kdc.conf krb5.conf @echo ==== $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS) $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2 - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump2 sort $(TEST_DB).dump > $(TEST_DB).sort sort $(TEST_DB).dump2 > $(TEST_DB).sort2 - sort $(TEST_DB).ovdump > $(TEST_DB).ovsort - sort $(TEST_DB).ovdump2 > $(TEST_DB).ovsort2 cmp $(TEST_DB).sort $(TEST_DB).sort2 - cmp $(TEST_DB).ovsort $(TEST_DB).ovsort2 $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f $(RM) $(TEST_DB)* stash_file diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py index d803d5602..5d692df99 100755 --- a/src/tests/t_dump.py +++ b/src/tests/t_dump.py @@ -73,7 +73,6 @@ for realm in multidb_realms(start_kdc=False): srcdump_r18 = os.path.join(srcdumpdir, 'dump.r18') srcdump_r13 = os.path.join(srcdumpdir, 'dump.r13') srcdump_b7 = os.path.join(srcdumpdir, 'dump.b7') - srcdump_ov = os.path.join(srcdumpdir, 'dump.ov') # Load a dump file from the source directory. realm.run([kdb5_util, 'destroy', '-f']) @@ -86,17 +85,10 @@ for realm in multidb_realms(start_kdc=False): dump_compare(realm, ['-r18'], srcdump_r18) dump_compare(realm, ['-r13'], srcdump_r13) dump_compare(realm, ['-b7'], srcdump_b7) - dump_compare(realm, ['-ov'], srcdump_ov) # Load each format of dump, check it, re-dump it, and compare. load_dump_check_compare(realm, ['-r18'], srcdump_r18) load_dump_check_compare(realm, ['-r13'], srcdump_r13) load_dump_check_compare(realm, ['-b7'], srcdump_b7) - # Loading the last (-b7 format) dump won't have loaded the - # per-principal kadm data. Load that incrementally with -ov. - realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: [none]') - realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov]) - realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: testpol') - success('Dump/load tests')