From b102c57ee3c0c5355bfd3e49481352ad1fecb23a Mon Sep 17 00:00:00 2001
From: Theodore Tso <tytso@mit.edu>
Date: Thu, 14 Sep 1995 02:54:13 +0000
Subject: [PATCH] (key_encrypt_keys): Remove equally errneous
 krb5_use_enctype() call 	from key_encrypt_keys().

(key_string2key_keysalt and key_randomkey_keysalt): Install really
	ugly hack to prevent these routines from munging the master_encblock.
	This is not the correct fix.  Proven will be making the correct fix
	which will involve removing these routines and using the corect
	libkdb functions.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6786 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kadmin/v5server/ChangeLog |  9 +++++++++
 src/kadmin/v5server/srv_key.c | 32 +++++++++++++++++++++++++++++---
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/src/kadmin/v5server/ChangeLog b/src/kadmin/v5server/ChangeLog
index d7896a706..52a4fb7d7 100644
--- a/src/kadmin/v5server/ChangeLog
+++ b/src/kadmin/v5server/ChangeLog
@@ -1,5 +1,14 @@
 Wed Sep 13 22:08:56 1995  Theodore Y. Ts'o  (tytso@dcl)
 
+	* srv_key.c (key_string2key_keysalt and key_randomkey_keysalt):
+		Install really ugly hack to prevent these routines from munging
+		the master_encblock.  This is not the correct fix.  Proven
+		will be making the correct fix which will involve removing
+		these routines and using the corect libkdb functions.
+
+	* srv_key.c (key_encrypt_keys):  Remove equally errneous
+		krb5_use_enctype() call from key_encrypt_keys().
+
 	* srv_key.c (key_decrypt_keys):  Keys are encrypted in the key of
 		the master key encryption type, not in the keytype of the
 		key!!!  Removed erroneous krb5_use_enctype() call.
diff --git a/src/kadmin/v5server/srv_key.c b/src/kadmin/v5server/srv_key.c
index 3cf8af9c7..25e709833 100644
--- a/src/kadmin/v5server/srv_key.c
+++ b/src/kadmin/v5server/srv_key.c
@@ -641,6 +641,7 @@ key_string2key_keysalt(ksent, ptr)
     krb5_data		salt;
     krb5_keyblock	key;
     krb5_key_data	*okeyp;
+    krb5_enctype	old_enctype;
 
     argp = (struct keysalt_iterate_args *) ptr;
     kret = 0;
@@ -648,6 +649,17 @@ key_string2key_keysalt(ksent, ptr)
      * Determine if this key/salt pair is salted.
      */
     salted = 0;
+    /*
+     * XXXXX this is totally, totally wrong.  We should never be using
+     * krb5_use_enctype on master_encblock.  In particular, it won't
+     * work once we start having non-DES encryption systems.
+     *
+     * For now, we're going to do ths ugly kludge where we save the
+     * master_encblock's old encryption system, and restore it at the
+     * end of this routine.  This is wrong, and it *will* break in the
+     * future.  We need to fix this before we let this code go out....
+     */
+    old_enctype = master_encblock.crypto_entry->proto_enctype;
     krb5_use_enctype(argp->context, &master_encblock, ksent->ks_enctype);
     if (!krb5_dbe_find_enctype(argp->context,
 			       argp->dbentry,
@@ -749,6 +761,7 @@ key_string2key_keysalt(ksent, ptr)
 	okeyp->key_data_contents[1] = (krb5_octet *) salt.data;
     }
  done:
+    krb5_use_enctype(argp->context, &master_encblock, old_enctype);
     return(kret);
 }
 
@@ -831,10 +844,22 @@ key_randomkey_keysalt(ksent, ptr)
     krb5_error_code	kret;
     krb5_keyblock	*key;
     krb5_key_data	*okeyp;
+    krb5_enctype	old_enctype;
 
     argp = (struct keysalt_iterate_args *) ptr;
     kret = 0;
 
+    /*
+     * XXXXX this is totally, totally wrong.  We should never be using
+     * krb5_use_enctype on master_encblock.  In particular, it won't
+     * work once we start having non-DES encryption systems.
+     *
+     * For now, we're going to do ths ugly kludge where we save the
+     * master_encblock's old encryption system, and restore it at the
+     * end of this routine.  This is wrong, and it *will* break in the
+     * future.  We need to fix this before we let this code go out....
+     */
+    old_enctype = master_encblock.crypto_entry->proto_enctype;
     krb5_use_enctype(argp->context, &master_encblock, ksent->ks_enctype);
     if (krb5_dbe_find_enctype(argp->context,
 			      argp->dbentry,
@@ -879,6 +904,10 @@ key_randomkey_keysalt(ksent, ptr)
 	    krb5_xfree(key);
 	}
     }
+    /*
+     * XXXX  This is a kludge!!!  See above.
+     */
+    krb5_use_enctype(argp->context, &master_encblock, old_enctype);
     return(kret);
 }
 
@@ -960,9 +989,6 @@ key_encrypt_keys(kcontext, dbentp, nkeysp, inkeys, outkeysp)
     ndone = 0;
     nkeys = *nkeysp;
     for (i=0; i<nkeys; i++) {
-	krb5_use_enctype(kcontext,
-			 &master_encblock,
-			 (krb5_enctype) inkeys[i].key_data_type[0]);
 	if (!(kret = krb5_dbe_create_key_data(kcontext, &loser))) {
 	    tmpkey.enctype = inkeys[i].key_data_type[0];
 	    tmpkey.length = inkeys[i].key_data_length[0];
-- 
2.26.2