[krbdev.mit.edu #5840] Prevent kadm5_decrypt_key() from coercing the keytype if the requested ktype == -1
Jeffrey Altman via RT
rt-comment at krbdev.mit.edu
Fri Nov 9 15:14:52 EST 2007
Please review this patch to kadm5_decrypt_key(). This patch prevents
the returned keyblock's enctype from being coerced to the requested
'ktype' if the requested 'ktype' == -1. A ktype of -1 is to be ignored.
Index: svr_principal.c
===================================================================
--- svr_principal.c (revision 20163)
+++ svr_principal.c (working copy)
@@ -2156,7 +2156,8 @@
* inexact match on the enctype; this behavior will go away when
* the key storage architecture gets redesigned for 1.3.
*/
- keyblock->enctype = ktype;
+ if (ktype == -1)
+ keyblock->enctype = ktype;
if (kvnop)
*kvnop = key_data->key_data_kvno;
More information about the krb5-bugs
mailing list