Make sure that each DES key is strong. If not, xor first byte with 0xf0

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7140 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/crypto/des/d3_str2ky.c b/src/lib/crypto/des/d3_str2ky.c
index 5f4d7a050bf5e1ff73afe93ece573a69edad36b4..d83810d01eb4fd848474b3fd17b5a856f22ad778 100644 (file)
--- a/src/lib/crypto/des/d3_str2ky.c
+++ b/src/lib/crypto/des/d3_str2ky.c
@@ -90,8 +90,11 @@ const krb5_data FAR * salt;
        return EINVAL;
        
     /* fix key parity */
-    for (j = 0; j < keyblock->length/sizeof(mit_des_cblock); j++)
+    for (j = 0; j < keyblock->length/sizeof(mit_des_cblock); j++) {
        mit_des_fixup_key_parity(*((mit_des_cblock *)key+j));
+       if (mit_des_is_weak_key(*((mit_des_cblock *)key+j)))
+           *((unsigned char *)((mit_des_cblock *)key+j)) ^= 0xf0;
+    }
 
     /* Now, CBC encrypt with itself */
     (void) mit_des3_key_sched(*((mit_des3_cblock *)key), ks);
@@ -111,8 +114,11 @@ const krb5_data FAR * salt;
     krb5_xfree(copystr);
 
     /* now fix up key parity again */
-    for (j = 0; j < keyblock->length/sizeof(mit_des_cblock); j++)
+    for (j = 0; j < keyblock->length/sizeof(mit_des_cblock); j++) {
        mit_des_fixup_key_parity(*((mit_des_cblock *)key+j));
+       if (mit_des_is_weak_key(*((mit_des_cblock *)key+j)))
+           *((unsigned char *)((mit_des_cblock *)key+j)) ^= 0xf0;
+    }
 
     return 0;
 }