krb5 commit [krb5-1.11]: Use active master key in update_princ_encryption

Mon Oct 28 15:21:48 EDT 2013

https://github.com/krb5/krb5/commit/feaf28664b2ef86314d39e0cf3e437aae5350eb9
commit feaf28664b2ef86314d39e0cf3e437aae5350eb9
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Oct 23 11:55:19 2013 -0400

    Use active master key in update_princ_encryption
    
    kdb5_util update_princ_encryption should update to the active master
    key version, not the most recent.
    
    (cherry picked from commit 4ccc18bc3ddc49d0fd0d2de00ec91c0fa44c53a8)
    
    ticket: 7735 (new)
    version_fixed: 1.11.4
    status: resolved

 doc/admin/admin_commands/kdb5_util.rst |    4 ++--
 src/kadmin/dbutil/kdb5_mkey.c          |   15 +++++----------
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst
index d866777..847924e 100644
--- a/doc/admin/admin_commands/kdb5_util.rst
+++ b/doc/admin/admin_commands/kdb5_util.rst
@@ -340,8 +340,8 @@ update_princ_encryption
 
 Update all principal records (or only those matching the
 *princ-pattern* glob pattern) to re-encrypt the key data using the
-active database master key, if they are encrypted using older
-versions, and give a count at the end of the number of principals
+active database master key, if they are encrypted using a different
+version, and give a count at the end of the number of principals
 updated.  If the **-f** option is not given, ask for confirmation
 before starting to make changes.  The **-v** option causes each
 principal processed to be listed, with an indication as to whether it
diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c
index 599b614..120b3a2 100644
--- a/src/kadmin/dbutil/kdb5_mkey.c
+++ b/src/kadmin/dbutil/kdb5_mkey.c
@@ -935,7 +935,7 @@ kdb5_update_princ_encryption(int argc, char *argv[])
     char *msg;
 #endif
     char *regexp = NULL;
-    krb5_keyblock *tmp_keyblock = NULL;
+    krb5_keyblock *act_mkey;
     krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
 
     while ((optchar = getopt(argc, argv, "fnv")) != -1) {
@@ -1020,19 +1020,14 @@ kdb5_update_princ_encryption(int argc, char *argv[])
         goto cleanup;
     }
 
-    /* Master key is always stored encrypted in the latest version of
-       itself.  */
-    new_mkvno = krb5_db_get_key_data_kvno(util_context,
-                                          master_entry->n_key_data,
-                                          master_entry->key_data);
-
-    retval = krb5_dbe_find_mkey(util_context, master_entry, &tmp_keyblock);
+    retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &new_mkvno,
+                                    &act_mkey);
     if (retval) {
-        com_err(progname, retval, _("retrieving the most recent master key"));
+        com_err(progname, retval, _("while looking up active master key"));
         exit_status++;
         goto cleanup;
     }
-    new_master_keyblock = *tmp_keyblock;
+    new_master_keyblock = *act_mkey;
 
     if (!force &&
         !data.dry_run &&
