hdb: fix hdb_unseal_keys_kvno return when no history

Prior to this change hdb_unseal_keys_kvno() could return successfully (0)
if the choice_HDB_extension_data_hist_keys extension was found but the
hist_keys list was empty.  As a side effect callers would believe that the
provide hdb_entry keys were unsealed when they weren't.  This could cause
the KDC or kadmin to report invalid key size errors.

If the extension is present and the history list is empty attempt to
unseal the provided hdb_entry using hdb_unseal_keys_mkey().

Change-Id: I9218b02bccdbcf22133a9464a677374db53ade85

lib/hdb/mkey.c

@@ -490,6 +490,14 @@ hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent)
     return hdb_unseal_keys_mkey(context, ent, db->hdb_master_key);
 }
 
+/*
+ * Unseal the keys for the given kvno (or all of them) of entry.
+ *
+ * If kvno == 0 -> unseal all.
+ * if kvno != 0 -> unseal the requested kvno and make sure it's the one listed
+ *                 as the current keyset for the entry (swapping it with a
+ *                 historical keyset if need be).
+ */
 krb5_error_code
 hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno,
 		     unsigned flags, hdb_entry *ent)
@@ -519,8 +527,8 @@ hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno,
     }
 
     ext = hdb_find_extension(ent, choice_HDB_extension_data_hist_keys);
-    if (ext == NULL)
-	return ret;
+    if (ext == NULL || (&ext->data.u.hist_keys)->len == 0)
+	return hdb_unseal_keys_mkey(context, ent, db->hdb_master_key);
 
     /* For swapping; see below */
     tmp_len = ent->keys.len;