From: Tom Yu <tlyu@mit.edu>
Date: Thu, 14 Jan 2010 18:51:13 +0000 (+0000)
Subject: pull up r23657 from trunk
X-Git-Tag: krb5-1.8-beta1~23
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=32964f3175a26bba79b8e3033e0130d943565001;p=krb5.git

pull up r23657 from trunk

 ------------------------------------------------------------------------
 r23657 | ghudson | 2010-01-14 11:09:24 -0500 (Thu, 14 Jan 2010) | 9 lines

 ticket: 6640
 subject: Make history key exempt from permitted_enctypes
 tags: pullup
 target_version: 1.8

 In kdb_init_hist, just use the first key entry in the kadmin/history
 entry.  This makes the history key work even if the enctype is
 disallowed by allow_weak_crypto=false or other configuration.

ticket: 6640
version_fixed: 1.8
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23659 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index 1e98a8e03..e1ffca20b 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -136,7 +136,6 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r)
 {
     int     ret = 0;
     char    *realm, *hist_name;
-    krb5_key_data *key_data;
     krb5_key_salt_tuple ks[1];
     krb5_keyblock *tmp_mkey;
 
@@ -205,10 +204,11 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r)
 
     }
 
-    ret = krb5_dbe_find_enctype(handle->context, &hist_db, -1, -1, -1,
-                                &key_data);
-    if (ret)
-        goto done;
+    if (hist_db.n_key_data <= 0) {
+        krb5_set_error_message(handle->context, KRB5_KDB_NO_MATCHING_KEY,
+                               "History entry contains no key data");
+        return KRB5_KDB_NO_MATCHING_KEY;
+    }
 
     ret = krb5_dbe_find_mkey(handle->context, master_keylist, &hist_db,
                              &tmp_mkey);
@@ -216,11 +216,11 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r)
         goto done;
 
     ret = krb5_dbekd_decrypt_key_data(handle->context, tmp_mkey,
-                                      key_data, &hist_key, NULL);
+                                      &hist_db.key_data[0], &hist_key, NULL);
     if (ret)
         goto done;
 
-    hist_kvno = key_data->key_data_kvno;
+    hist_kvno = hist_db.key_data[0].key_data_kvno;
 
 done:
     free(hist_name);