From 82f1c1f39196129502205a4852e9746c3c3b8101 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Thu, 14 Jun 2012 12:55:36 -0500
Subject: [PATCH] Encrypt keys in change password code even when !keepold

---
 lib/kadm5/chpass_s.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/lib/kadm5/chpass_s.c b/lib/kadm5/chpass_s.c
index 1cf17c476..e9b94d96f 100644
--- a/lib/kadm5/chpass_s.c
+++ b/lib/kadm5/chpass_s.c
@@ -115,22 +115,20 @@ change(void *server_handle,
 
     ent.entry.flags.require_pwchange = 0;
 
-    if (keepold) {
-	ret = hdb_seal_keys(context->context, context->db, &ent.entry);
-	if (ret)
-	    goto out2;
-    } else {
+    if (!keepold) {
 	HDB_extension ext;
 
 	memset(&ext, 0, sizeof (ext));
 	ext.data.element = choice_HDB_extension_data_hist_keys;
-	ext.data.u.hist_keys.len = 0;
-	ext.data.u.hist_keys.val = NULL;
 	ret = hdb_replace_extension(context->context, &ent.entry, &ext);
 	if (ret)
 	    goto out2;
     }
 
+    ret = hdb_seal_keys(context->context, context->db, &ent.entry);
+    if (ret)
+        goto out2;
+
     ret = _kadm5_set_modifier(context, &ent.entry);
     if(ret)
 	goto out2;
-- 
2.11.4.GIT