svn rev #23657: trunk/src/lib/kadm5/srv/

[ghudson@MIT.EDU]

http://src.mit.edu/fisheye/changelog/krb5/?cs=23657
Commit By: ghudson
Log Message:
ticket: 6640
subject: Make history key exempt from permitted_enctypes
tags: pullup
target_version: 1.8

In kdb_init_hist, just use the first key entry in the kadmin/history
entry.  This makes the history key work even if the enctype is
disallowed by allow_weak_crypto=false or other configuration.



Changed Files:
U   trunk/src/lib/kadm5/srv/server_kdb.c
Modified: trunk/src/lib/kadm5/srv/server_kdb.c
===================================================================
--- trunk/src/lib/kadm5/srv/server_kdb.c	2010-01-13 22:40:26 UTC (rev 23656)
+++ trunk/src/lib/kadm5/srv/server_kdb.c	2010-01-14 16:09:24 UTC (rev 23657)
@@ -136,7 +136,6 @@
 {
     int     ret = 0;
     char    *realm, *hist_name;
-    krb5_key_data *key_data;
     krb5_key_salt_tuple ks[1];
     krb5_keyblock *tmp_mkey;
 
@@ -205,10 +204,11 @@
 
     }
 
-    ret = krb5_dbe_find_enctype(handle->context, &hist_db, -1, -1, -1,
-                                &key_data);
-    if (ret)
-        goto done;
+    if (hist_db.n_key_data <= 0) {
+        krb5_set_error_message(handle->context, KRB5_KDB_NO_MATCHING_KEY,
+                               "History entry contains no key data");
+        return KRB5_KDB_NO_MATCHING_KEY;
+    }
 
     ret = krb5_dbe_find_mkey(handle->context, master_keylist, &hist_db,
                              &tmp_mkey);
@@ -216,11 +216,11 @@
         goto done;
 
     ret = krb5_dbekd_decrypt_key_data(handle->context, tmp_mkey,
-                                      key_data, &hist_key, NULL);
+                                      &hist_db.key_data[0], &hist_key, NULL);
     if (ret)
         goto done;
 
-    hist_kvno = key_data->key_data_kvno;
+    hist_kvno = hist_db.key_data[0].key_data_kvno;
 
 done:
     free(hist_name);