From 8663f65dbb3fdcbc46d239a20588610ea9404df5 Mon Sep 17 00:00:00 2001
From: Richard Basch <probe@mit.edu>
Date: Thu, 22 Feb 1996 04:23:30 +0000
Subject: [PATCH] * kerberos_v4.c 	Improve the checks that DES keys are
 being used. * main.c 	Do not assume that the master key is necessarily a DES
 key suitable 	for use to initialize the V4 random key generator.  Instead,
 after 	initializing the DES_CBC_CRC generator, get a random key and use that 
 to seed the V4 random key generator.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7494 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kdc/kerberos_v4.c | 11 ++++++++---
 src/kdc/main.c        | 28 +++++++++++++++++++++++++---
 2 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c
index de588716e..2f37821e4 100644
--- a/src/kdc/kerberos_v4.c
+++ b/src/kdc/kerberos_v4.c
@@ -313,9 +313,14 @@ int compat_decrypt_key (in5, out4)
 	lt = klog(L_DEATH_REQ, "KDC can't decrypt principal's key.");
 	return(retval);
     }
-    if (out5.length != KRB5_MIT_DES_KEYSIZE) {
-	lt = klog( L_DEATH_REQ,"internal keysize error in kdc");
-    } else {
+    if (out5.length != KRB5_MIT_DES_KEYSIZE)
+	lt = klog(L_DEATH_REQ, "internal keysize error in kdc");
+    else if ((out5.enctype != ENCTYPE_DES_CBC_CRC) &&
+	     (out5.enctype != ENCTYPE_DES_CBC_MD4) &&
+	     (out5.enctype != ENCTYPE_DES_CBC_MD5) &&
+	     (out5.enctype != ENCTYPE_DES_CBC_RAW))
+	lt = klog(L_DEATH_REQ, "incompatible principal key type.");
+    else {
 	memcpy(out4, out5.contents, out5.length);
 	retval = 0;
     }
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 442e21793..c05f2ee0a 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -311,6 +311,9 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
     krb5_key_salt_tuple	*kslist;
     krb5_int32		nkslist;
     int			i;
+#ifdef KRB5_KRB4_COMPAT
+    static krb5_boolean	k4_inited = FALSE;
+#endif
 
     kret = EINVAL;
     db_inited = 0;
@@ -619,6 +622,10 @@ goto whoops;
 	    }
 	    if (!rkey_init_done) {
 		krb5_enctype enctype;
+#ifdef KRB5_KRB4_COMPAT
+		krb5_keyblock *temp_key;
+		krb5_encrypt_block temp_eblock;
+#endif
 		/*
 		 * If all that worked, then initialize the random key
 		 * generators.
@@ -633,6 +640,24 @@ goto whoops;
 				    "while setting up random key generator for enctype %d--enctype disabled",
 				    enctype);
 			    krb5_enctype_array[enctype] = 0;
+#ifdef KRB5_KRB4_COMPAT
+			} else if (!k4_inited &&
+				   (enctype == ENCTYPE_DES_CBC_CRC)) {
+			    krb5_use_enctype(rdp->realm_context,
+					     &temp_eblock, enctype);
+			    if ((kret = (*krb5_enctype_array[enctype]->
+					 system->random_key)
+				 (&temp_eblock,
+				  &krb5_enctype_array[enctype]->random_sequence,
+				  &temp_key)))
+				com_err(progname, kret,
+					"while initializing V4 random key generator");
+			    else {
+				k4_inited = 1;
+				(void) des_init_random_number_generator(temp_key->contents);
+				krb5_free_keyblock(rdp->realm_context, temp_key);
+			    }
+#endif
 			}
 		    }
 		}
@@ -887,9 +912,6 @@ char *argv[];
 	finish_realms(argv[0]);
 	return 1;
     }
-#ifdef KRB5_KRB4_COMPAT
-    des_init_random_number_generator(master_keyblock.contents);
-#endif
     if (!nofork && daemon(0, 0)) {
 	com_err(argv[0], errno, "while detaching from tty");
 	finish_realms(argv[0]);
-- 
2.26.2