===================================================================
RCS file: server/RCS/kerberos.c,v
retrieving revision 4.21
diff -u -r4.21 server/kerberos.c
--- server/kerberos.c	1995/04/22 04:57:04	4.21
+++ server/kerberos.c	1996/02/10 21:04:38
@@ -1,5 +1,5 @@
 /*
- * $Source: /afs/net/project/krb4/src/server/RCS/kerberos.c,v $
+ * $Source: /afs/net.mit.edu/project/krb4/src/server/RCS/kerberos.c,v $
  * $Author: tytso $
  *
  * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
@@ -11,7 +11,7 @@
 
 #ifndef lint
 static char *rcsid_kerberos_c =
-"$Header: /afs/net/project/krb4/src/server/RCS/kerberos.c,v 4.21 1995/04/22 04:57:04 tytso Exp tytso $";
+"$Header: /afs/net.mit.edu/project/krb4/src/server/RCS/kerberos.c,v 4.21 95/04/22 04:57:04 tytso Exp Locker: tytso $";
 #endif  lint
 
 #include <mit-copyright.h>
@@ -265,6 +265,7 @@
       bzero (master_key_schedule, sizeof (master_key_schedule));
       exit (-1);
     }
+    des_init_random_number_generator(master_key);
 
     master_key_version = (u_char) kerror;
 
@@ -440,7 +441,7 @@
 	    bzero(session_key, sizeof(C_Block));
 #else
 	    /* random session key */
-	    random_key(session_key);
+	    des_new_random_key(session_key);
 #endif
 
 	    /* unseal server's key from master key */
@@ -577,7 +578,7 @@
 	    bzero(session_key, sizeof(C_Block));
 #else
 	    /* random session key */
-	    random_key(session_key);
+	    des_new_random_key(session_key);
 #endif
 
 	    krb_create_ticket(tk, k_flags, ad->pname, ad->pinst,
===================================================================
RCS file: admin/RCS/kdb_edit.c,v
retrieving revision 4.6
diff -u -r4.6 admin/kdb_edit.c
--- admin/kdb_edit.c	1992/11/10 14:50:03	4.6
+++ admin/kdb_edit.c	1996/02/17 02:51:43
@@ -163,6 +163,8 @@
 						    stdout)) < 0)
       exit (-1);
 
+    des_init_random_number_generator(master_key);
+
     /* lookup the default values */
     n = kerb_get_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST,
 			   &default_princ, 1, &more);
@@ -270,7 +272,7 @@
 			bzero(new_key, sizeof(C_Block));
 			new_key[0] = 127;
 #else
-			random_key(new_key);	/* yes, random */
+			des_new_random_key(new_key);	/* yes, random */
 #endif
 			bzero(pw_str, sizeof pw_str);
 		    }
===================================================================
RCS file: admin/RCS/kdb_init.c,v
retrieving revision 4.0
diff -u -r4.0 admin/kdb_init.c
--- admin/kdb_init.c	1989/01/24 21:50:45	4.0
+++ admin/kdb_init.c	1996/02/17 03:06:13
@@ -94,6 +94,7 @@
       fprintf (stderr, "Couldn't read master key.\n");
       exit (-1);
     }
+    des_init_random_number_generator(master_key);
 
     if (
 	add_principal(KERB_M_NAME, KERB_M_INST, MASTER_KEY) ||
@@ -141,7 +142,7 @@
 	bzero(new_key, sizeof(C_Block));
 	new_key[0] = 127;
 #else
-	random_key(new_key);
+	des_new_random_key(new_key);
 #endif
 	kdb_encrypt_key (new_key, new_key, master_key, master_key_schedule,
 			 ENCRYPT);
===================================================================
RCS file: kadmin/RCS/ksrvutil.c,v
retrieving revision 4.2
diff -u -r4.2 kadmin/ksrvutil.c
--- kadmin/ksrvutil.c	1992/11/13 20:58:09	4.2
+++ kadmin/ksrvutil.c	1996/02/14 06:54:38
@@ -554,16 +554,20 @@
   char *keyfile;
 {
     int status = KADM_SUCCESS;
+    CREDENTIALS c;
 
     if (((status = krb_get_svc_in_tkt(sname, sinst, srealm, PWSERV_NAME,
 				      KADM_SINST, 1, keyfile)) == KSUCCESS) &&
+	((status = krb_get_cred(PWSERV_NAME, KADM_SINST, srealm, &c)) ==
+	 KSUCCESS) &&
 	((status = kadm_init_link("changepw", KRB_MASTER, srealm)) == 
 	 KADM_SUCCESS)) {
 #ifdef NOENCRYPTION
 	(void) bzero((char *) new_key, sizeof(des_cblock));
 	new_key[0] = (unsigned char) 1;
 #else /* NOENCRYPTION */
-	(void) des_random_key(new_key);
+	des_init_random_number_generator(c.session);
+	(void) des_new_random_key(new_key);
 #endif /* NOENCRYPTION */
 	return(KADM_SUCCESS);
     }
===================================================================
RCS file: admin/RCS/Imakefile,v
retrieving revision 4.2
diff -u -r4.2 admin/Imakefile
--- admin/Imakefile	1992/10/23 15:36:48	4.2
+++ admin/Imakefile	1996/02/20 18:46:13
@@ -34,5 +34,6 @@
 program(kdb_util,kdb_util.o maketime.o,${DEPLIBS},${LIBS},${DAEMDIR})
 program(kstash,kstash.o,${DEPLIBS},${LIBS},${DAEMDIR})
 program(make_srvtab,make_srvtab.o,${DEPLIBS},${LIBS},${DAEMDIR})
+program(fix_kdb_keys,fix_kdb_keys.o,${DEPLIBS},${LIBS},${DAEMDIR})
 
 depend:: ${CODE}
--- /dev/null	Mon Feb 26 11:46:03 1996
+++ admin/fix_kdb_keys.c	Tue Feb 20 14:07:59 1996
@@ -0,0 +1,191 @@
+/*
+ * $Source: /afs/net/project/krb4/src/admin/RCS/kdb_edit.c,v $
+ * $Author: tytso $
+ *
+ * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
+ * of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * This routine changes the Kerberos encryption keys for principals,
+ * i.e., users or services. 
+ */
+
+/*
+ * exit returns 	 0 ==> success -1 ==> error 
+ */
+
+#include <stdio.h>
+#include <signal.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/file.h>
+
+#ifdef NEED_TIME_H
+#include <time.h>
+#endif
+#include <sys/time.h>
+
+#include <des.h>
+#include <krb.h>
+#include <krb_db.h>
+/* MKEYFILE is now defined in kdc.h */
+#include <kdc.h>
+
+char    prog[32];
+char   *progname = prog;
+int     nflag = 0;
+int     debug = 0;
+extern  int krb_debug;
+
+Principal principal_data;
+
+static C_Block master_key;
+static Key_schedule master_key_schedule;
+static long master_key_version;
+
+static char realm[REALM_SZ];
+
+void fatal_error(), cleanup();
+void Usage();
+void change_principal();
+
+int main(argc, argv)
+     int     argc;
+     char   *argv[];
+{
+  int i;
+
+  prog[sizeof prog - 1] = '\0';	/* make sure terminated */
+  strncpy(prog, argv[0], sizeof prog - 1);	/* salt away invoking
+						 * program */
+
+  /* Assume a long is four bytes */
+  if (sizeof(long) != 4) {
+    fprintf(stderr, "%s: size of long is %d.\n", prog, sizeof(long));
+    exit(-1);
+  }
+  while (--argc > 0 && (*++argv)[0] == '-')
+    for (i = 1; argv[0][i] != '\0'; i++) {
+      switch (argv[0][i]) {
+	
+	/* debug flag */
+      case 'd':
+	debug = 1;
+	continue;
+
+	/* debug flag */
+      case 'l':
+	krb_debug |= 1;
+	continue;
+
+      case 'n':		/* read MKEYFILE for master key */
+	nflag = 1;
+	continue;
+	
+      default:
+	fprintf(stderr, "%s: illegal flag \"%c\"\n", progname, argv[0][i]);
+	Usage();	/* Give message and die */
+      }
+    };
+
+  if (krb_get_lrealm(realm, 1)) {
+	  fprintf(stderr, "Couldn't get local realm information.\n");
+	  fatal_error();
+  }
+
+  kerb_init();
+  if (argc > 0) {
+    if (kerb_db_set_name(*argv) != 0) {
+      fprintf(stderr, "Could not open altername database name\n");
+      fatal_error();
+    }
+  }
+
+  if (kdb_get_master_key ((nflag == 0), 
+			  master_key, master_key_schedule) != 0) {
+    fprintf (stderr, "Couldn't read master key.\n");
+    fatal_error();
+  }
+
+  if ((master_key_version = kdb_verify_master_key(master_key,
+						  master_key_schedule,
+						  stdout)) < 0)
+	  fatal_error();
+
+  des_init_random_number_generator(master_key);
+
+  change_principal("krbtgt", realm);
+  change_principal("changepw", KRB_MASTER);
+
+  cleanup();
+
+  printf("\nKerberos database updated successfully.  Note that all\n");
+  printf("existing ticket-granting tickets have been invalidated.\n\n");
+
+  return(0);
+}
+
+void change_principal(input_name, input_instance)
+     char *input_name;
+     char *input_instance;
+{
+    int     n, more;
+    C_Block new_key;
+
+    n = kerb_get_principal(input_name, input_instance, &principal_data,
+			   1, &more);
+    if (!n) {
+      fprintf(stderr, "Can't find principal database for %s.%s.\n", 
+	      input_name, input_instance);
+      fatal_error();
+    }
+    if (more) {
+      fprintf(stderr, "More than one entry for %s.%s.\n", input_name, 
+	      input_instance);
+      fatal_error();
+    }
+      
+    des_new_random_key(new_key);
+
+    /* seal it under the kerberos master key */
+    kdb_encrypt_key (new_key, new_key, 
+		     master_key, master_key_schedule,
+				 ENCRYPT);
+    memcpy(&principal_data.key_low, new_key, 4);
+    memcpy(&principal_data.key_high, ((long *) new_key) + 1, 4);
+    memset(new_key, 0, sizeof(new_key));
+
+    principal_data.key_version++;
+
+    if (kerb_put_principal(&principal_data, 1)) {
+      fprintf(stderr, "\nError updating Kerberos database");
+      fatal_error();
+    }
+
+    memset(&principal_data.key_low, 0, 4);
+    memset(&principal_data.key_high, 0, 4);
+}
+
+void fatal_error()
+{
+	cleanup();
+	exit(1);
+}
+
+void cleanup()
+{
+
+  memset(master_key, 0, sizeof(master_key));
+  memset(master_key_schedule, 0, sizeof(master_key_schedule));
+  memset(&principal_data, 0, sizeof(principal_data));
+}
+
+void Usage()
+{
+    fprintf(stderr, "Usage: %s [-n]\n", progname);
+    exit(1);
+}