* kerberos_v4.c

	Improve the checks that DES keys are being used.
* main.c
	Do not assume that the master key is necessarily a DES key suitable
	for use to initialize the V4 random key generator.  Instead, after
	initializing the DES_CBC_CRC generator, get a random key and use that
	to seed the V4 random key generator.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7494 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c
index de588716ea37ba096fcde722aa3ebcb50f73b5b0..2f37821e434d335fc6d933face578be8f1de08b0 100644 (file)
--- a/src/kdc/kerberos_v4.c
+++ b/src/kdc/kerberos_v4.c
@@ -313,9 +313,14 @@ int compat_decrypt_key (in5, out4)
        lt = klog(L_DEATH_REQ, "KDC can't decrypt principal's key.");
        return(retval);
     }
-    if (out5.length != KRB5_MIT_DES_KEYSIZE) {
-       lt = klog( L_DEATH_REQ,"internal keysize error in kdc");
-    } else {
+    if (out5.length != KRB5_MIT_DES_KEYSIZE)
+       lt = klog(L_DEATH_REQ, "internal keysize error in kdc");
+    else if ((out5.enctype != ENCTYPE_DES_CBC_CRC) &&
+            (out5.enctype != ENCTYPE_DES_CBC_MD4) &&
+            (out5.enctype != ENCTYPE_DES_CBC_MD5) &&
+            (out5.enctype != ENCTYPE_DES_CBC_RAW))
+       lt = klog(L_DEATH_REQ, "incompatible principal key type.");
+    else {
        memcpy(out4, out5.contents, out5.length);
        retval = 0;
     }

diff --git a/src/kdc/main.c b/src/kdc/main.c
index 442e217939ebac499c95fe2ff40bce373cb6abe1..c05f2ee0a81181b1a1d0cba50f08cc3e906be1c2 100644 (file)
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -311,6 +311,9 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
     krb5_key_salt_tuple        *kslist;
     krb5_int32         nkslist;
     int                        i;
+#ifdef KRB5_KRB4_COMPAT
+    static krb5_boolean        k4_inited = FALSE;
+#endif
 
     kret = EINVAL;
     db_inited = 0;
@@ -619,6 +622,10 @@ goto whoops;
            }
            if (!rkey_init_done) {
                krb5_enctype enctype;
+#ifdef KRB5_KRB4_COMPAT
+               krb5_keyblock *temp_key;
+               krb5_encrypt_block temp_eblock;
+#endif
                /*
                 * If all that worked, then initialize the random key
                 * generators.
@@ -633,6 +640,24 @@ goto whoops;
                                    "while setting up random key generator for enctype %d--enctype disabled",
                                    enctype);
                            krb5_enctype_array[enctype] = 0;
+#ifdef KRB5_KRB4_COMPAT
+                       } else if (!k4_inited &&
+                                  (enctype == ENCTYPE_DES_CBC_CRC)) {
+                           krb5_use_enctype(rdp->realm_context,
+                                            &temp_eblock, enctype);
+                           if ((kret = (*krb5_enctype_array[enctype]->
+                                        system->random_key)
+                                (&temp_eblock,
+                                 &krb5_enctype_array[enctype]->random_sequence,
+                                 &temp_key)))
+                               com_err(progname, kret,
+                                       "while initializing V4 random key generator");
+                           else {
+                               k4_inited = 1;
+                               (void) des_init_random_number_generator(temp_key->contents);
+                               krb5_free_keyblock(rdp->realm_context, temp_key);
+                           }
+#endif
                        }
                    }
                }
@@ -887,9 +912,6 @@ char *argv[];
        finish_realms(argv[0]);
        return 1;
     }
-#ifdef KRB5_KRB4_COMPAT
-    des_init_random_number_generator(master_keyblock.contents);
-#endif
     if (!nofork && daemon(0, 0)) {
        com_err(argv[0], errno, "while detaching from tty");
        finish_realms(argv[0]);