Reject if any key in old keys are in the new keyset, the list of enctypes might have changed. Pointed out by David Markey

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24024 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-11-12 04:17:47 +00:00
parent 960f3f45ec
commit bbd689d3b3
2 changed files with 29 additions and 27 deletions
--- a/lib/kadm5/chpass_s.c
+++ b/lib/kadm5/chpass_s.c
@@ -46,7 +46,7 @@ change(void *server_handle,
    kadm5_ret_t ret;
    Key *keys;
    size_t num_keys;
-    int cmp = 1;
+    int existsp = 0;

    memset(&ent, 0, sizeof(ent));
    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
@@ -70,11 +70,11 @@ change(void *server_handle,
    }
    ent.entry.kvno++;
    if (cond)
-	cmp = _kadm5_cmp_keys (ent.entry.keys.val, ent.entry.keys.len,
-			       keys, num_keys);
+	existsp = _kadm5_exists_keys (ent.entry.keys.val, ent.entry.keys.len,
+				      keys, num_keys);
    _kadm5_free_keys (context->context, num_keys, keys);

-    if (cmp == 0) {
+    if (existsp) {
 	ret = KADM5_PASS_REUSE;
 	krb5_set_error_message(context->context, ret, "Password reuse forbidden");
 	goto out2;