[1164] in Kerberos_V5_Development
conversion patches
daemon@ATHENA.MIT.EDU (Richard Basch)
Sat May 11 21:58:05 1996
Date: Sat, 11 May 1996 21:57:43 -0400
To: hartmans@MIT.EDU
Cc: krbdev@MIT.EDU
From: "Richard Basch" <basch@lehman.com>
[Being cc'd to krbdev, because of the master key conversion facility...
I will clean it up and integrate it post beta-6. However, it might be a
useful post to the mailing list, before beta-7.]
Ok...
In this version of kdb5_edit:
load_db -convert <old_stash> <new_stash> <dump_file> <database>
Be aware that you will have to convert the stash file to have enctype 7
instead of enctype 5... des3-cbc-md5 is enctype 7 in this version, for
the convenience of doing the conversion.
Also, remember to check out the last version of
src/lib/crypto/des3_md5.c before applying the patch, as this relies on
that file.
Don't stress the des3-cbc-md5 code too much; I only have enough enabled
to actually do the conversion.
I did the conversion by doing (from memory... check for stupid errors):
cp .../.k5.* /tmp/old_stash
<edit old stash, byte 2: change from \005 to \007>
kdb5_create -d /tmp/xxx -s
kdb5_edit -R -f /tmp/old_stash -R "ddb" > /tmp/old_dump
kdb5_edit -R "lddb -convert /tmp/old_stash
.../.k5... /tmp/old_dump .../principal"
Now start up the Kerberos server again...
As Ted pointed out, there is not much point to using a 3-des K/M, so I
just switched back to a des K/M.
Enjoy, and let me know how it went... I converted the Lehman database
with only minor hitches because of how I coordinated the master/slave
updates. (Think that through carefully, like copying the necessary old
and new stashes beforehand, as well as keeping around both old & new
binaries/libraries ...)
Good luck!
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
--- 1.1 1996/05/10 15:57:12
+++ src/lib/crypto/cryptoconf.c 1996/05/10 16:07:47
@@ -124,10 +124,14 @@
#define DES3_CBC_RAW_CSENTRY 0
#endif
+#if ENCTYPE_DES3_CBC_MD5
+#define DES3_CBC_MD5_CSENTRY &krb5_des3_md5_cst_entry
+#endif
+
/* WARNING:
- make sure the order of entries in these tables matches the #defines in
- "krb5/encryption.h"
+ make sure the order of entries in these tables matches the defines in
+ "krb5.h"
*/
krb5_cs_table_entry * NEAR krb5_enctype_array[] = {
@@ -137,7 +141,10 @@
DES_CBC_MD5_CSENTRY, /* ENCTYPE_DES_CBC_MD5 */
DES_CBC_RAW_CSENTRY, /* ENCTYPE_DES_CBC_RAW */
DES3_CBC_SHA_CSENTRY, /* ENCTYPE_DES3_CBC_SHA */
- DES3_CBC_RAW_CSENTRY /* ENCTYPE_DES3_CBC_RAW */
+ DES3_CBC_RAW_CSENTRY, /* ENCTYPE_DES3_CBC_RAW */
+#if ENCTYPE_DES3_CBC_MD5
+ DES3_CBC_MD5_CSENTRY, /* ENCTYPE_DES3_CBC_MD5 - compat */
+#endif
};
krb5_enctype krb5_max_enctype = sizeof(krb5_enctype_array)/sizeof(krb5_enctype_array[0]) - 1;
--- 1.1 1996/05/10 16:04:16
+++ src/lib/crypto/Makefile.in 1996/05/10 16:07:46
@@ -16,8 +16,9 @@
decrypt_data.$(OBJEXT) \
des_crc.$(OBJEXT) \
des_md5.$(OBJEXT) \
- des3_sha.$(OBJEXT) \
+ des3_md5.$(OBJEXT) \
des3_raw.$(OBJEXT) \
+ des3_sha.$(OBJEXT) \
raw_des.$(OBJEXT)
SRCS= $(srcdir)/cryptoconf.c \
@@ -25,8 +26,9 @@
$(srcdir)/decrypt_data.c \
$(srcdir)/des_crc.c \
$(srcdir)/des_md5.c \
- $(srcdir)/des3_sha.c \
+ $(srcdir)/des3_md5.c \
$(srcdir)/des3_raw.c \
+ $(srcdir)/des3_sha.c \
$(srcdir)/raw_des.c
LIB_SUBDIRS= des md4 md5 sha crc32 os .
--- 1.1 1996/05/10 16:04:48
+++ src/lib/crypto/des3_md5.c 1996/05/10 16:05:30
@@ -1,5 +1,5 @@
/*
- * lib/crypto/des3-md5.32
+ * lib/crypto/des3-md5.c
*
* Copyright 1994 by the Massachusetts Institute of Technology.
* All Rights Reserved.
@@ -22,6 +22,9 @@
*/
#include "k5-int.h"
+
+#if ENCTYPE_DES3_CBC_MD5
+
#include "rsa-md5.h"
#include "des_int.h"
@@ -171,3 +174,5 @@
size - sizeof(mit_des_cblock) - RSA_MD5_CKSUM_LENGTH);
return 0;
}
+
+#endif /* ENCTYPE_DES3_CBC_MD5 */
--- 1.1 1996/05/10 16:09:23
+++ src/lib/crypto/des/d3_procky.c 1996/05/10 16:09:44
@@ -31,6 +31,9 @@
struct mit_des_ks_struct *schedule; /* pointer to key schedules */
if ((keyblock->enctype != ENCTYPE_DES3_CBC_SHA) &&
+#if ENCTYPE_DES3_CBC_MD5
+ (keyblock->enctype != ENCTYPE_DES3_CBC_MD5) &&
+#endif
(keyblock->enctype != ENCTYPE_DES3_CBC_RAW))
return KRB5_PROG_ETYPE_NOSUPP;
--- 1.1 1996/05/10 16:10:25
+++ src/lib/crypto/des/init_rkey.c 1996/05/10 16:11:27
@@ -64,6 +64,9 @@
case ENCTYPE_DES3_CBC_SHA:
case ENCTYPE_DES3_CBC_RAW:
+#if ENCTYPE_DES3_CBC_MD5
+ case ENCTYPE_DES3_CBC_MD5:
+#endif
enctype = ENCTYPE_DES3_CBC_RAW;
break;
--- 1.1 1996/05/10 16:11:05
+++ src/lib/crypto/des/d3_str2ky.c 1996/05/10 16:11:26
@@ -52,6 +52,9 @@
krb5_enctype enctype = eblock->crypto_entry->proto_enctype;
if ((enctype == ENCTYPE_DES3_CBC_SHA) ||
+#if ENCTYPE_DES3_CBC_MD5
+ (enctype == ENCTYPE_DES3_CBC_MD5) ||
+#endif
(enctype == ENCTYPE_DES3_CBC_RAW))
keyblock->length = sizeof(mit_des3_cblock);
else
--- 1.1 1996/05/10 18:48:22
+++ src/lib/crypto/des/des_int.h 1996/05/10 18:49:13
@@ -76,6 +76,10 @@
extern krb5_cs_table_entry krb5_des_md5_cst_entry;
extern krb5_cs_table_entry krb5_des3_sha_cst_entry;
extern krb5_cs_table_entry krb5_des3_raw_cst_entry;
+#if ENCTYPE_DES3_CBC_MD5
+extern krb5_cs_table_entry krb5_des3_md5_cst_entry;
+#endif
+
extern krb5_checksum_entry krb5_des_cbc_cksumtable_entry;
/*
--- 1.1 1996/05/10 16:06:22
+++ src/lib/krb5/krb/str_conv.c 1996/05/10 18:51:43
@@ -97,6 +97,10 @@
static const char enctype_descbcmd5_out[] = "DES cbc mode with RSA-MD5";
static const char enctype_des3cbcsha_out[] = "DES-3 cbc mode with NIST-SHA";
static const char enctype_descbcraw_out[] = "DES cbc mode raw";
+#if ENCTYPE_DES3_CBC_MD5
+static const char enctype_des3cbcmd5_in[] = "des3-cbc-md5";
+static const char enctype_des3cbcmd5_out[] = "DES-3 cbc mode with RSA-MD5";
+#endif
/* Salttype strings */
static const char stype_v5_in[] = "normal";
@@ -189,7 +193,10 @@
{ ENCTYPE_DES_CBC_MD4, enctype_descbcmd4_in, enctype_descbcmd4_out },
{ ENCTYPE_DES_CBC_MD5, enctype_descbcmd5_in, enctype_descbcmd5_out },
{ ENCTYPE_DES3_CBC_SHA, enctype_des3cbcsha_in, enctype_des3cbcsha_out },
-{ ENCTYPE_DES_CBC_RAW, enctype_descbcraw_in, enctype_descbcraw_out }
+{ ENCTYPE_DES_CBC_RAW, enctype_descbcraw_in, enctype_descbcraw_out },
+#if ENCTYPE_DES3_CBC_MD5
+{ ENCTYPE_DES3_CBC_MD5, enctype_des3cbcmd5_in, enctype_des3cbcmd5_out },
+#endif
};
static const int enctype_table_nents = sizeof(enctype_table)/
sizeof(enctype_table[0]);
--- 1.1 1996/05/10 15:59:51
+++ src/include/krb5.hin 1996/05/10 16:00:50
@@ -414,6 +414,9 @@
#define ENCTYPE_DES_CBC_RAW 0x0004 /* DES cbc mode raw */
#define ENCTYPE_DES3_CBC_SHA 0x0005 /* DES-3 cbc mode with NIST-SHA */
#define ENCTYPE_DES3_CBC_RAW 0x0006 /* DES-3 cbc mode raw */
+#ifdef LEHMAN
+#define ENCTYPE_DES3_CBC_MD5 0x0007 /* compat */
+#endif
#define ENCTYPE_UNKNOWN 0x01ff
#define CKSUMTYPE_CRC32 0x0001
--- 1.1 1996/05/10 17:40:36
+++ src/admin/edit/dump.c 1996/05/11 00:10:49
@@ -114,7 +114,7 @@
static const char read_econtents[] = "extra data contents";
static const char k5beta_fmt_name[] = "Kerberos version 5 old format";
static const char standard_fmt_name[] = "Kerberos version 5 format";
-static const char lusage_err_fmt[] = "%s: usage is %s [%s] [%s] [%s] filename dbname\n";
+static const char lusage_err_fmt[] = "%s: usage is %s [%s] [%s] [%s] [%s old-stash new-stash] filename dbname\n";
static const char no_name_mem_fmt[] = "%s: cannot get memory for temporary name\n";
static const char ctx_err_fmt[] = "%s: cannot initialize Kerberos context\n";
static const char stdin_name[] = "standard input";
@@ -130,7 +130,15 @@
static const char oldoption[] = "-old";
static const char verboseoption[] = "-verbose";
static const char updateoption[] = "-update";
+static const char convertoption[] = "-convert";
static const char dump_tmptrail[] = "~";
+
+
+static int convert=0;
+static char *oldstash, *newstash;
+static krb5_encrypt_block old_meblock, new_meblock;
+static krb5_keyblock old_mkey, new_mkey;
+static krb5_principal master_princ;
�
/*
* Update the "ok" file.
@@ -1384,6 +1392,30 @@
}
}
}
+
+ if (!error && convert) {
+ /* (master key change) */
+ krb5_keyblock key, *nkey;
+ krb5_keysalt salt;
+
+ kret = krb5_dbekd_decrypt_key_data(kcontext,
+ &old_meblock, kdatap, &key, &salt);
+ if (!kret) {
+ if (krb5_principal_compare(kcontext,
+ master_princ,
+ dbentry.princ)) {
+ krb5_copy_keyblock(kcontext,
+ &new_mkey, &nkey);
+ } else
+ krb5_copy_keyblock(kcontext, &key, &nkey);
+ kret = krb5_dbekd_encrypt_key_data(kcontext,
+ &new_meblock, nkey, &salt,
+ kdatap->key_data_kvno,
+ kdatap);
+ krb5_free_keyblock(kcontext, nkey);
+ }
+ if (kret) error++;
+ }
}
}
@@ -1580,7 +1612,7 @@
�
/*
* Usage is
- * load_db [-old] [-verbose] [-update] filename dbname
+ * load_db [-old] [-verbose] [-update] [-convert old_stash new_stash] filename dbname
*/
void
load_db(argc, argv)
@@ -1630,12 +1662,17 @@
else if (!strcmp(argv[aindex], updateoption)) {
update = 1;
}
+ else if (!strcmp(argv[aindex], convertoption)) {
+ convert = 1;
+ oldstash = argv[++aindex];
+ newstash = argv[++aindex];
+ }
else
break;
}
if ((argc - aindex) != 2) {
fprintf(stderr, lusage_err_fmt, argv[0], argv[0],
- oldoption, verboseoption, updateoption);
+ oldoption, verboseoption, updateoption, convertoption);
exit_status++;
return;
}
@@ -1661,6 +1698,49 @@
return;
}
krb5_init_ets(kcontext);
+
+ if (!kret && convert) {
+ char *realm;
+
+ kret = krb5_get_default_realm(kcontext, &realm);
+ if (kret) {
+ com_err(progname, kret, "while getting default realm name");
+ exit(1);
+ }
+
+ kret = krb5_db_setup_mkey_name(kcontext, 0 /*mkey_name*/, realm,
+ 0 /* mkey_fullname */, &master_princ);
+ if (kret) {
+ com_err(progname, kret, "while setting up master principal");
+ exit(1);
+ }
+
+ old_mkey.enctype = ENCTYPE_UNKNOWN;
+ kret = krb5_db_fetch_mkey(kcontext, master_princ,
+ &old_meblock, 0, 0, oldstash, 0, &old_mkey);
+ if (kret) {
+ com_err(progname, kret, "while reading in old master key stash");
+ exit(1);
+ }
+ kret = krb5_process_key(kcontext, &old_meblock, &old_mkey);
+ if (kret) {
+ com_err(progname, kret, "while processing old master key");
+ exit(1);
+ }
+
+ new_mkey.enctype = ENCTYPE_UNKNOWN;
+ kret = krb5_db_fetch_mkey(kcontext, master_princ,
+ &new_meblock, 0, 0, newstash, 0, &new_mkey);
+ if (kret) {
+ com_err(progname, kret, "while reading in new master key stash");
+ exit(1);
+ }
+ kret = krb5_process_key(kcontext, &new_meblock, &new_mkey);
+ if (kret) {
+ com_err(progname, kret, "while processing new master key");
+ exit(1);
+ }
+ }
/*
* Open the dumpfile
