Fix password reuse check with cpw -keepold

When we check for password reuse, only compare keys with the most
recent kvno against history entries, or else we will always fail with
-keepold.

This bug primarily affects rollover of cross-realm TGT principals,
which typically use password-derived keys and may have an associated
password policy such as "default".

Bug report and candidate fix (taken with a slight modification) by
Nicolas Williams.

ticket: 7110

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25801 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index f4715fbb1ee18fce60881ad7974589eecb268dc2..f77490fe1846a98cd6a71d00100737169344d60a 100644 (file)
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -972,6 +972,9 @@ check_pw_reuse(krb5_context context,
 
     assert (n_new_key_data >= 0);
     for (x = 0; x < (unsigned) n_new_key_data; x++) {
+        /* Check only entries with the most recent kvno. */
+        if (new_key_data[x].key_data_kvno != new_key_data[0].key_data_kvno)
+            break;
         ret = krb5_dbe_decrypt_key_data(context, NULL, &(new_key_data[x]),
                                         &newkey, NULL);
         if (ret)